I hope everybody agrees that it should be possible to change the password without breaking the app. I’m a longtime software engineer but haven’t worked directly in Linux or Raspberry Pi. The concept of the root password being a hardcoded, published string leaves me a bit speechless. It is a vulnerability that will be exploited.
I noticed another case of changing password causing a problem. I’ve been seeing a red warning box appear briefly during bootup, but didn’t look further because I haven’t noticed anything broken.
I’m using the Music Services Shield plugin and I see now that the error message comes from the plugin using the sudo command and passing it hardcoded “volumio” as password. When I changed the password, it effectively broke this plugin.
I’m not a security specialist but even I see that some re-architecture is needed. You don’t want to wake up one day and discover that Volumio installations worldwide are getting infected.