On 12/27/2017 05:49 AM, Jeroen Roovers wrote: > OK, let me explain again. > > In #gentoo we give a lot of attention and support to people who want to > set up full disk encryption, tor, VPNs, and other security mechanisms, > and this tells me that they actually want security. By saying that "some > people [might] want it enabled" you ignore one of the main reasons why > people turn to Gentoo Linux in the first place. > > Having it enabled by default prompts new users and veteran users alike > to think about password safety, because this means that you get > reminded of possibly bad passwords *during* installation/while setting > up your services.
Enable it if you want, but base/make.defaults is the wrong place. > People can always disable it easily when they feel they do not need it > (any longer). Not quite true due to the USE stacking order, as I mentioned on the bug. >> If you disagree, please make your voice heard on the bug. > > I already did that parallel to my response here. Note that *this* is > the proper venue for discussing sweeping changes like this, and that a > bug report that saw no input from anyone else for a couple of months > is not. That wasn't directed at you. It was directed at all of the other people on this list, to avoid exactly this discussion that we're having. If people voiced their opposition, I was happy to leave it alone. Even after two threads and a bug, yours was the only sure "no." I think I convinced floppym that base/make.defaults was the wrong place for it. And keep in mind that I only asked for responses from people who disagree. > You already went ahead and committed that change without proper > discussion and waving away the input you did get suggesting you should > drop it, so I have now reverted it. Next time, please discuss your > problems with sane defaults like these before doing anything rash. There have been two mailing list threads. The first was two months ago, https://archives.gentoo.org/gentoo-dev/message/8ddc678a05cb6d3b93adfc5a54d6312c and then there's this one, in which I tried to rally people to your cause (to no avail). Not to mention the bug itself, where I CC'ed every affected maintainer. > As quoted from the bug report, please address these: > 1) Why you think having USE=cracklib enabled by default is a *problem* > which needs to be addressed by way of its removal. My original response > questioned that, but you didn't actually answer it. I never said that having it enabled by default is a problem. I said that having it enabled in the base profile is a problem, and semantically incorrect, as evidenced by the fact that at least one profile has to unset it. Then there's the stacking issue again, which makes it awkward to disable if the base profile enables it. > 2) What you plan to do to have USE=cracklib enabled by default. Two > people suggested you should keep this (one way or another) but instead > everyone is now without it enabled by default. I plan to do nothing, because I think it should be disabled by default like all other USE flags. I've CC'ed all of the maintainers who might want to add the default to IUSE, and apparently none of them do. The hardened project and base-system are also CCed/assigned in case one of them wanted to adopt the default. The base profile is the wrong place to enable USE=cracklib, but there are better places. If none of the people in charge of those places want to enable the flag, then maybe it should remain disabled. > 3) This bug report sat there for two months without notice to > gentoo-dev@ (and largely immaterial, without even a response from the > teams you CC'd). There was no proper discussion about a change that > affects not just developers, but all users, and hardly anyone knew > about it until you posted your patch. Two separate threads and a bug CC'ed to everyone affected. What else did you want me to do?