1 |
On Thu, 21 Dec 2017 10:10:30 -0500 |
2 |
Michael Orlitzky <mjo@g.o> wrote: |
3 |
|
4 |
> The "cracklib" USE flag has long (since 2007ish) been enabled by |
5 |
> default for all profiles. But, the features that it provides are not |
6 |
> critical for any of the packages that use it: typically, the library |
7 |
> is used to evaluate a candidate password and to prevent the user from |
8 |
> choosing a weak one. |
9 |
> |
10 |
> Since the flag is not critical, and because we now have per-package |
11 |
> USE defaults, this commit removes it from base/make.defaults. |
12 |
> |
13 |
> Closes: https://bugs.gentoo.org/635698 |
14 |
|
15 |
As there: |
16 |
|
17 |
So as to recap that lengthy discussion of the pros and cons of having |
18 |
cracklib protect people from using bad passwords by default, to you it |
19 |
does "not look critical". I can't even tell what you mean by that. I |
20 |
guess you were picking low hanging fruits and thought you might start |
21 |
some spring cleaning? Because that's the only thing I can make of this |
22 |
change: it's old so it's probably useless. |
23 |
|
24 |
Let me (easily) counter that by stating that having cracklib in place |
25 |
makes people pick better passwords. Especially the brand new Linux |
26 |
users we see so many of might benefit from a default mechanism that |
27 |
helps them make better security choices, but I am sure even advanced |
28 |
users and systems administrators might set a "temporary" POC password |
29 |
"quickly" and then later see their systems go into production without a |
30 |
second thought about using stronger passwords. |
31 |
|
32 |
Please close that bug report. |
33 |
|
34 |
|
35 |
|
36 |
Kind regards, |
37 |
jer |