On Sun, Mar 16, 2025 at 6:49 AM Daniel Gustafsson <daniel@yesql.se> wrote:
> IIRC the reasoning has been that if a rogue user can inject an environment
> variable into your session and read your files it's probably game over anyways.
(Personally I'm no longer as convinced by this line of argument as I
once was...)
> > It's also possible that we should consider the SSLKEYLOGFILE environment variable some kind of quasi-standard like
PAGER,and we should be using exactly that environment variable name like everyone else.
>
> If we would use the same as others, it would make it harder to do fine-grained
> debugging of a session
It also brings up the possibility of two (or more?) separate parts of
the client writing keys simultaneously to the same file through
separate file descriptors, which doesn't seem very fun.
--Jacob
