From 30b4b153d61cea0b1ce4faf7b41f2e454cb4ec9f Mon Sep 17 00:00:00 2001
From: Paul Eggleton <paul.eggleton@microsoft.com>
Date: Thu, 21 Apr 2022 18:40:35 -0700
Subject: ref-manual: add a note about hard-coded passwords

It seems prudent to point out that hard-coding passwords in the manner
detailed in the example is not a good idea in production. This type of
mistake has unfortunately been made by many device vendors (outside of
the Yocto Project context) leading to security vulnerabilities.

(From yocto-docs rev: 1d07dba9423ae0a841eccb58c297e31b63c3965d)

Signed-off-by: Paul Eggleton <paul.eggleton@microsoft.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 documentation/ref-manual/classes.rst | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst
index 6ba792d3f9..60423d8533 100644
--- a/documentation/ref-manual/classes.rst
+++ b/documentation/ref-manual/classes.rst
@@ -576,6 +576,14 @@ Finally, here is an example that sets the root password::
        usermod -p '${PASSWD}' root; \
        "
 
+.. note::
+
+   From a security perspective, hardcoding a default password is not
+   generally a good idea or even legal in some jurisdictions. It is 
+   recommended that you do not do this if you are building a production 
+   image.
+
+
 .. _ref-classes-features_check:
 
 ``features_check.bbclass``
-- 
cgit v1.2.3-54-g00ecf