On Fri, 22 Dec 2017 12:30:35 -0500
Michael Orlitzky <m...@gentoo.org> wrote:

> On 12/21/2017 02:27 PM, Jeroen Roovers wrote:
> > On Thu, 21 Dec 2017 10:10:30 -0500
> > Michael Orlitzky <m...@gentoo.org> wrote:
> >   
> >> The "cracklib" USE flag ... this commit removes it from
> >> base/make.defaults.
> >>
> >> Closes: https://bugs.gentoo.org/635698  
> > 
> > As there:  
> >> ...  
> > 
> > Let me (easily) counter that by stating that having cracklib in
> > place makes people pick better passwords. Especially the brand new
> > Linux users we see so many of might benefit from a default
> > mechanism that helps them make better security choices, but I am
> > sure even advanced users and systems administrators might set a
> > "temporary" POC password "quickly" and then later see their systems
> > go into production without a second thought about using stronger
> > passwords.

> I don't think that "some people want it enabled" is enough
> justification to keep this in the base profile that is the parent of
> all others.

OK, let me explain again.

In #gentoo we give a lot of attention and support to people who want to
set up full disk encryption, tor, VPNs, and other security mechanisms,
and this tells me that they actually want security. By saying that "some
people [might] want it enabled" you ignore one of the main reasons why
people turn to Gentoo Linux in the first place.

Having it enabled by default prompts new users and veteran users alike
to think about password safety, because this means that you get
reminded of possibly bad passwords *during* installation/while setting
up your services.

People can always disable it easily when they feel they do not need it
(any longer).

> If you disagree, please make your voice heard on the bug.

I already did that parallel to my response here. Note that *this* is
the proper venue for discussing sweeping changes like this, and that a
bug report that saw no input from anyone else for a couple of months
is not.

You already went ahead and committed that change without proper
discussion and waving away the input you did get suggesting you should
drop it, so I have now reverted it. Next time, please discuss your
problems with sane defaults like these before doing anything rash.

As quoted from the bug report, please address these:
1) Why you think having USE=cracklib enabled by default is a *problem*
which needs to be addressed by way of its removal. My original response
questioned that, but you didn't actually answer it.

2) What you plan to do to have USE=cracklib enabled by default. Two
people suggested you should keep this (one way or another) but instead
everyone is now without it enabled by default.

3) This bug report sat there for two months without notice to
gentoo-dev@ (and largely immaterial, without even a response from the
teams you CC'd). There was no proper discussion about a change that
affects not just developers, but all users, and hardly anyone knew
about it until you posted your patch.

Kind regards,

Reply via email to