The --seed option of certtool creates a possible security loophole
Under POSIX-like operating systems, the command line arguments of all executed commands are visible to all users on the system.
If malicious user Eve watches the certtool invocation of a different user Alice who is using the --seed option, Eve will know what seed Alice's private key has been generated from.
If Alice also used the --provable option, Eve will even be able to reconstruct Alice's private key, which is a very bad thing.
Recommendation: The --seed option should either be removed or be explicitly documented to be suitable for debugging and testing only. A new option should be added which allows to read the seed from a file. In this case, Eve will only see the filename on the command line, but not the contents of the file.
BTW: The --password option has quite a similar problem. But there is the possibility to read it from standard input or from the configuration file. Can the seed maybe read from the configuration file also? But if so, neither the documentation nor the example configuration file does mention it.
Additional references:
Other Downstream bug reports related to this issue:
https://github.com/ShiftMediaProject/gnutls/issues/22
Known external projects blocked by this issue: