On Thu 07 Sep 2023 at 01:27:23 +0200, Philip Hands wrote: > Jonathan Kamens <j...@kamens.us> writes: > > > Oh, I see now that the fact that the installer shouldn't recommend > > changing one's password regularly was also reported previously, in bug > > #868869. > > Also, in #656509 (in which Cyril states that the effort of translating a > new message outweighs the importance of the change). > > I've no idea if that justification for inaction still stands, but I > thought this would make a nice little example for the use of the > salsa-CI pipeline (and my branch2repo variant of that), so here's an MR: > > https://salsa.debian.org/installer-team/user-setup/-/merge_requests/7 > > and here's a screenshot of what the change looks like: > > https://openqa.debian.net/tests/185853#step/passwords/1 > > I'm not 100% happy with the wording (and the underlines around 'should' > need to go) so I'm very likely to tweak it tomorrow. > > Suggestions for improvement welcome, although be aware that given the > resistance to fixing this in the past, it's always possible such a > change will also be deemed unjustified now. > > I think it's probably about time we fixed it, since even the civil > servants in the UK have stopped recommending password changes by now, > and they tend to make such changes at least a decade late. ;-)
The password strength advice in d-i has been there from the year dot. Irrespective of what GCHQ and others say now, it was a load of nonsense then and remains so. The vast majority of users ignore it; some might schedule a password change at the same time they change the locks on all outside doors of their residence or on their cars. Debian has no need to offer password advice (as opposed to roo vs sudo). So leave it there as a historical oddity or delete the d-i advice. The latter route does not involve anyone in any great effort to maintain the staus quo. -- Brian.
