| 1 |
On Thu, 21 Dec 2017 10:10:30 -0500 |
| 2 |
Michael Orlitzky <mjo@g.o> wrote: |
| 3 |
|
| 4 |
> The "cracklib" USE flag has long (since 2007ish) been enabled by |
| 5 |
> default for all profiles. But, the features that it provides are not |
| 6 |
> critical for any of the packages that use it: typically, the library |
| 7 |
> is used to evaluate a candidate password and to prevent the user from |
| 8 |
> choosing a weak one. |
| 9 |
> |
| 10 |
> Since the flag is not critical, and because we now have per-package |
| 11 |
> USE defaults, this commit removes it from base/make.defaults. |
| 12 |
> |
| 13 |
> Closes: https://bugs.gentoo.org/635698 |
| 14 |
|
| 15 |
As there: |
| 16 |
|
| 17 |
So as to recap that lengthy discussion of the pros and cons of having |
| 18 |
cracklib protect people from using bad passwords by default, to you it |
| 19 |
does "not look critical". I can't even tell what you mean by that. I |
| 20 |
guess you were picking low hanging fruits and thought you might start |
| 21 |
some spring cleaning? Because that's the only thing I can make of this |
| 22 |
change: it's old so it's probably useless. |
| 23 |
|
| 24 |
Let me (easily) counter that by stating that having cracklib in place |
| 25 |
makes people pick better passwords. Especially the brand new Linux |
| 26 |
users we see so many of might benefit from a default mechanism that |
| 27 |
helps them make better security choices, but I am sure even advanced |
| 28 |
users and systems administrators might set a "temporary" POC password |
| 29 |
"quickly" and then later see their systems go into production without a |
| 30 |
second thought about using stronger passwords. |
| 31 |
|
| 32 |
Please close that bug report. |
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
Kind regards, |
| 37 |
jer |
Archives