| 1 |
On Fri, 22 Dec 2017 12:30:35 -0500 |
| 2 |
Michael Orlitzky <mjo@g.o> wrote: |
| 3 |
|
| 4 |
> On 12/21/2017 02:27 PM, Jeroen Roovers wrote: |
| 5 |
> > On Thu, 21 Dec 2017 10:10:30 -0500 |
| 6 |
> > Michael Orlitzky <mjo@g.o> wrote: |
| 7 |
> > |
| 8 |
> >> The "cracklib" USE flag ... this commit removes it from |
| 9 |
> >> base/make.defaults. |
| 10 |
> >> |
| 11 |
> >> Closes: https://bugs.gentoo.org/635698 |
| 12 |
> > |
| 13 |
> > As there: |
| 14 |
> >> ... |
| 15 |
> > |
| 16 |
> > Let me (easily) counter that by stating that having cracklib in |
| 17 |
> > place makes people pick better passwords. Especially the brand new |
| 18 |
> > Linux users we see so many of might benefit from a default |
| 19 |
> > mechanism that helps them make better security choices, but I am |
| 20 |
> > sure even advanced users and systems administrators might set a |
| 21 |
> > "temporary" POC password "quickly" and then later see their systems |
| 22 |
> > go into production without a second thought about using stronger |
| 23 |
> > passwords. |
| 24 |
|
| 25 |
> I don't think that "some people want it enabled" is enough |
| 26 |
> justification to keep this in the base profile that is the parent of |
| 27 |
> all others. |
| 28 |
|
| 29 |
OK, let me explain again. |
| 30 |
|
| 31 |
In #gentoo we give a lot of attention and support to people who want to |
| 32 |
set up full disk encryption, tor, VPNs, and other security mechanisms, |
| 33 |
and this tells me that they actually want security. By saying that "some |
| 34 |
people [might] want it enabled" you ignore one of the main reasons why |
| 35 |
people turn to Gentoo Linux in the first place. |
| 36 |
|
| 37 |
Having it enabled by default prompts new users and veteran users alike |
| 38 |
to think about password safety, because this means that you get |
| 39 |
reminded of possibly bad passwords *during* installation/while setting |
| 40 |
up your services. |
| 41 |
|
| 42 |
People can always disable it easily when they feel they do not need it |
| 43 |
(any longer). |
| 44 |
|
| 45 |
> If you disagree, please make your voice heard on the bug. |
| 46 |
|
| 47 |
I already did that parallel to my response here. Note that *this* is |
| 48 |
the proper venue for discussing sweeping changes like this, and that a |
| 49 |
bug report that saw no input from anyone else for a couple of months |
| 50 |
is not. |
| 51 |
|
| 52 |
You already went ahead and committed that change without proper |
| 53 |
discussion and waving away the input you did get suggesting you should |
| 54 |
drop it, so I have now reverted it. Next time, please discuss your |
| 55 |
problems with sane defaults like these before doing anything rash. |
| 56 |
|
| 57 |
As quoted from the bug report, please address these: |
| 58 |
1) Why you think having USE=cracklib enabled by default is a *problem* |
| 59 |
which needs to be addressed by way of its removal. My original response |
| 60 |
questioned that, but you didn't actually answer it. |
| 61 |
|
| 62 |
2) What you plan to do to have USE=cracklib enabled by default. Two |
| 63 |
people suggested you should keep this (one way or another) but instead |
| 64 |
everyone is now without it enabled by default. |
| 65 |
|
| 66 |
3) This bug report sat there for two months without notice to |
| 67 |
gentoo-dev@ (and largely immaterial, without even a response from the |
| 68 |
teams you CC'd). There was no proper discussion about a change that |
| 69 |
affects not just developers, but all users, and hardly anyone knew |
| 70 |
about it until you posted your patch. |
| 71 |
|
| 72 |
|
| 73 |
Kind regards, |
| 74 |
jer |
Archives