1 |
On 12/27/2017 05:49 AM, Jeroen Roovers wrote: |
2 |
> OK, let me explain again. |
3 |
> |
4 |
> In #gentoo we give a lot of attention and support to people who want to |
5 |
> set up full disk encryption, tor, VPNs, and other security mechanisms, |
6 |
> and this tells me that they actually want security. By saying that "some |
7 |
> people [might] want it enabled" you ignore one of the main reasons why |
8 |
> people turn to Gentoo Linux in the first place. |
9 |
> |
10 |
> Having it enabled by default prompts new users and veteran users alike |
11 |
> to think about password safety, because this means that you get |
12 |
> reminded of possibly bad passwords *during* installation/while setting |
13 |
> up your services. |
14 |
|
15 |
Enable it if you want, but base/make.defaults is the wrong place. |
16 |
|
17 |
|
18 |
> People can always disable it easily when they feel they do not need it |
19 |
> (any longer). |
20 |
|
21 |
Not quite true due to the USE stacking order, as I mentioned on the bug. |
22 |
|
23 |
|
24 |
>> If you disagree, please make your voice heard on the bug. |
25 |
> |
26 |
> I already did that parallel to my response here. Note that *this* is |
27 |
> the proper venue for discussing sweeping changes like this, and that a |
28 |
> bug report that saw no input from anyone else for a couple of months |
29 |
> is not. |
30 |
|
31 |
That wasn't directed at you. It was directed at all of the other people |
32 |
on this list, to avoid exactly this discussion that we're having. If |
33 |
people voiced their opposition, I was happy to leave it alone. Even |
34 |
after two threads and a bug, yours was the only sure "no." I think I |
35 |
convinced floppym that base/make.defaults was the wrong place for it. |
36 |
And keep in mind that I only asked for responses from people who disagree. |
37 |
|
38 |
|
39 |
> You already went ahead and committed that change without proper |
40 |
> discussion and waving away the input you did get suggesting you should |
41 |
> drop it, so I have now reverted it. Next time, please discuss your |
42 |
> problems with sane defaults like these before doing anything rash. |
43 |
|
44 |
There have been two mailing list threads. The first was two months ago, |
45 |
|
46 |
https://archives.gentoo.org/gentoo-dev/message/8ddc678a05cb6d3b93adfc5a54d6312c |
47 |
|
48 |
and then there's this one, in which I tried to rally people to your |
49 |
cause (to no avail). Not to mention the bug itself, where I CC'ed every |
50 |
affected maintainer. |
51 |
|
52 |
|
53 |
> As quoted from the bug report, please address these: |
54 |
> 1) Why you think having USE=cracklib enabled by default is a *problem* |
55 |
> which needs to be addressed by way of its removal. My original response |
56 |
> questioned that, but you didn't actually answer it. |
57 |
|
58 |
I never said that having it enabled by default is a problem. I said that |
59 |
having it enabled in the base profile is a problem, and semantically |
60 |
incorrect, as evidenced by the fact that at least one profile has to |
61 |
unset it. Then there's the stacking issue again, which makes it awkward |
62 |
to disable if the base profile enables it. |
63 |
|
64 |
|
65 |
> 2) What you plan to do to have USE=cracklib enabled by default. Two |
66 |
> people suggested you should keep this (one way or another) but instead |
67 |
> everyone is now without it enabled by default. |
68 |
|
69 |
I plan to do nothing, because I think it should be disabled by default |
70 |
like all other USE flags. I've CC'ed all of the maintainers who might |
71 |
want to add the default to IUSE, and apparently none of them do. The |
72 |
hardened project and base-system are also CCed/assigned in case one of |
73 |
them wanted to adopt the default. |
74 |
|
75 |
The base profile is the wrong place to enable USE=cracklib, but there |
76 |
are better places. If none of the people in charge of those places want |
77 |
to enable the flag, then maybe it should remain disabled. |
78 |
|
79 |
|
80 |
> 3) This bug report sat there for two months without notice to |
81 |
> gentoo-dev@ (and largely immaterial, without even a response from the |
82 |
> teams you CC'd). There was no proper discussion about a change that |
83 |
> affects not just developers, but all users, and hardly anyone knew |
84 |
> about it until you posted your patch. |
85 |
|
86 |
Two separate threads and a bug CC'ed to everyone affected. What else did |
87 |
you want me to do? |