Context
raspberrypi4-64.yml currently sets EXTRA_IMAGE_FEATURES += "debug-tweaks" to enable a login prompt on the serial console with an empty root password. This was added during local QEMU testing (commit 4732de4) so we could shell into the emulated CM4 image.
Why this must go before flashing any production station
- Empty root password on the serial console = anyone with physical access to the station can log in as root without credentials.
- Stations are intentionally designed to have no local login auth; remote shell access happens exclusively through the station-agent terminal feature (Django WebSocket → Agent-signed channel → PTY spawn).
debug-tweaks also weakens other defaults (allow-empty-password, password-less sudo for sysadmins) that shouldn't exist on a remote fielded device.
Acceptance criteria
Not scoped here (follow-ups)
- Per-station recovery key provisioning workflow in Station Manager Builder.
- Decision on whether a serial-console emergency shell should exist at all (and if so, how it's gated).
Context
raspberrypi4-64.ymlcurrently setsEXTRA_IMAGE_FEATURES += "debug-tweaks"to enable a login prompt on the serial console with an empty root password. This was added during local QEMU testing (commit 4732de4) so we could shell into the emulated CM4 image.Why this must go before flashing any production station
debug-tweaksalso weakens other defaults (allow-empty-password, password-less sudo for sysadmins) that shouldn't exist on a remote fielded device.Acceptance criteria
EXTRA_IMAGE_FEATURES += "debug-tweaks"line fromraspberrypi4-64.yml.multi-user.targetand runsstation-agent.service(no login prompt needed).README.md.Not scoped here (follow-ups)