When convert2rhel registers a system with subscription-manager, it shells out to the subscription-manager program. If the user gave convert2rhel a password to authenticate with subscription-manager, this ends up being passed on the subscription-manager command line. Passing secrets on the command line is insecure because unprivileged users can read the process list which includes the command and all arguments to the command.
In the short term we can handle this problem by invoking subscription-manager via pexpect.spawn() without giving it the password. In this case, subscription-manager will interactively prompt for the password and we can then use pexpect to send the password.
Longer term, subscription-manager is going to add the ability to pass the password via a file and we can then use that to pass in the password:
Embargo lift date: TBD