1 |
On Fri, 22 Dec 2017 12:30:35 -0500 |
2 |
Michael Orlitzky <mjo@g.o> wrote: |
3 |
|
4 |
> On 12/21/2017 02:27 PM, Jeroen Roovers wrote: |
5 |
> > On Thu, 21 Dec 2017 10:10:30 -0500 |
6 |
> > Michael Orlitzky <mjo@g.o> wrote: |
7 |
> > |
8 |
> >> The "cracklib" USE flag ... this commit removes it from |
9 |
> >> base/make.defaults. |
10 |
> >> |
11 |
> >> Closes: https://bugs.gentoo.org/635698 |
12 |
> > |
13 |
> > As there: |
14 |
> >> ... |
15 |
> > |
16 |
> > Let me (easily) counter that by stating that having cracklib in |
17 |
> > place makes people pick better passwords. Especially the brand new |
18 |
> > Linux users we see so many of might benefit from a default |
19 |
> > mechanism that helps them make better security choices, but I am |
20 |
> > sure even advanced users and systems administrators might set a |
21 |
> > "temporary" POC password "quickly" and then later see their systems |
22 |
> > go into production without a second thought about using stronger |
23 |
> > passwords. |
24 |
|
25 |
> I don't think that "some people want it enabled" is enough |
26 |
> justification to keep this in the base profile that is the parent of |
27 |
> all others. |
28 |
|
29 |
OK, let me explain again. |
30 |
|
31 |
In #gentoo we give a lot of attention and support to people who want to |
32 |
set up full disk encryption, tor, VPNs, and other security mechanisms, |
33 |
and this tells me that they actually want security. By saying that "some |
34 |
people [might] want it enabled" you ignore one of the main reasons why |
35 |
people turn to Gentoo Linux in the first place. |
36 |
|
37 |
Having it enabled by default prompts new users and veteran users alike |
38 |
to think about password safety, because this means that you get |
39 |
reminded of possibly bad passwords *during* installation/while setting |
40 |
up your services. |
41 |
|
42 |
People can always disable it easily when they feel they do not need it |
43 |
(any longer). |
44 |
|
45 |
> If you disagree, please make your voice heard on the bug. |
46 |
|
47 |
I already did that parallel to my response here. Note that *this* is |
48 |
the proper venue for discussing sweeping changes like this, and that a |
49 |
bug report that saw no input from anyone else for a couple of months |
50 |
is not. |
51 |
|
52 |
You already went ahead and committed that change without proper |
53 |
discussion and waving away the input you did get suggesting you should |
54 |
drop it, so I have now reverted it. Next time, please discuss your |
55 |
problems with sane defaults like these before doing anything rash. |
56 |
|
57 |
As quoted from the bug report, please address these: |
58 |
1) Why you think having USE=cracklib enabled by default is a *problem* |
59 |
which needs to be addressed by way of its removal. My original response |
60 |
questioned that, but you didn't actually answer it. |
61 |
|
62 |
2) What you plan to do to have USE=cracklib enabled by default. Two |
63 |
people suggested you should keep this (one way or another) but instead |
64 |
everyone is now without it enabled by default. |
65 |
|
66 |
3) This bug report sat there for two months without notice to |
67 |
gentoo-dev@ (and largely immaterial, without even a response from the |
68 |
teams you CC'd). There was no proper discussion about a change that |
69 |
affects not just developers, but all users, and hardly anyone knew |
70 |
about it until you posted your patch. |
71 |
|
72 |
|
73 |
Kind regards, |
74 |
jer |