Gentoo Archives: gentoo-dev

From: Michael Orlitzky <mjo@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] [PATCH 1/1] profiles: drop USE=cracklib from base/make.defaults.
Date: Wed, 27 Dec 2017 14:57:55
Message-Id: 3bbd039c-9c4d-0de3-b0db-32ae7f023251@gentoo.org
In Reply to: Re: [gentoo-dev] [PATCH 1/1] profiles: drop USE=cracklib from base/make.defaults. by Jeroen Roovers
1 On 12/27/2017 05:49 AM, Jeroen Roovers wrote:
2 > OK, let me explain again.
3 >
4 > In #gentoo we give a lot of attention and support to people who want to
5 > set up full disk encryption, tor, VPNs, and other security mechanisms,
6 > and this tells me that they actually want security. By saying that "some
7 > people [might] want it enabled" you ignore one of the main reasons why
8 > people turn to Gentoo Linux in the first place.
9 >
10 > Having it enabled by default prompts new users and veteran users alike
11 > to think about password safety, because this means that you get
12 > reminded of possibly bad passwords *during* installation/while setting
13 > up your services.
14
15 Enable it if you want, but base/make.defaults is the wrong place.
16
17
18 > People can always disable it easily when they feel they do not need it
19 > (any longer).
20
21 Not quite true due to the USE stacking order, as I mentioned on the bug.
22
23
24 >> If you disagree, please make your voice heard on the bug.
25 >
26 > I already did that parallel to my response here. Note that *this* is
27 > the proper venue for discussing sweeping changes like this, and that a
28 > bug report that saw no input from anyone else for a couple of months
29 > is not.
30
31 That wasn't directed at you. It was directed at all of the other people
32 on this list, to avoid exactly this discussion that we're having. If
33 people voiced their opposition, I was happy to leave it alone. Even
34 after two threads and a bug, yours was the only sure "no." I think I
35 convinced floppym that base/make.defaults was the wrong place for it.
36 And keep in mind that I only asked for responses from people who disagree.
37
38
39 > You already went ahead and committed that change without proper
40 > discussion and waving away the input you did get suggesting you should
41 > drop it, so I have now reverted it. Next time, please discuss your
42 > problems with sane defaults like these before doing anything rash.
43
44 There have been two mailing list threads. The first was two months ago,
45
46 https://archives.gentoo.org/gentoo-dev/message/8ddc678a05cb6d3b93adfc5a54d6312c
47
48 and then there's this one, in which I tried to rally people to your
49 cause (to no avail). Not to mention the bug itself, where I CC'ed every
50 affected maintainer.
51
52
53 > As quoted from the bug report, please address these:
54 > 1) Why you think having USE=cracklib enabled by default is a *problem*
55 > which needs to be addressed by way of its removal. My original response
56 > questioned that, but you didn't actually answer it.
57
58 I never said that having it enabled by default is a problem. I said that
59 having it enabled in the base profile is a problem, and semantically
60 incorrect, as evidenced by the fact that at least one profile has to
61 unset it. Then there's the stacking issue again, which makes it awkward
62 to disable if the base profile enables it.
63
64
65 > 2) What you plan to do to have USE=cracklib enabled by default. Two
66 > people suggested you should keep this (one way or another) but instead
67 > everyone is now without it enabled by default.
68
69 I plan to do nothing, because I think it should be disabled by default
70 like all other USE flags. I've CC'ed all of the maintainers who might
71 want to add the default to IUSE, and apparently none of them do. The
72 hardened project and base-system are also CCed/assigned in case one of
73 them wanted to adopt the default.
74
75 The base profile is the wrong place to enable USE=cracklib, but there
76 are better places. If none of the people in charge of those places want
77 to enable the flag, then maybe it should remain disabled.
78
79
80 > 3) This bug report sat there for two months without notice to
81 > gentoo-dev@ (and largely immaterial, without even a response from the
82 > teams you CC'd). There was no proper discussion about a change that
83 > affects not just developers, but all users, and hardly anyone knew
84 > about it until you posted your patch.
85
86 Two separate threads and a bug CC'ed to everyone affected. What else did
87 you want me to do?

Replies