There's this code in debian/mariadb-server-10.1.postinst script:
On initial installation it creates world-readable /etc/mysql/debian.cnf, writes a password and then revokes privileges. This makes little theoretical gap when attacker may intercept debian-sys-maint password.
Also password goes via a number of echo calls. It might be alright since echo is bash builtin. But echo has rather poor reputation as a tool for handling passwords.
In addition to that REPLACE statement against mysqld --bootstrap is used to update password:
- it bypasses password validation plugins
- it bypasses audit plugins
- it increases installation time (it has to run rather heavy mysqld)
- as well as it increases mysqld downtime
- it may fail if database has some plugin specific configs (see MDEV-8437 Closed )