On K, 2017-12-27 at 09:57 -0500, Michael Orlitzky wrote:
> > 2) What you plan to do to have USE=cracklib enabled by default. Two
> > people suggested you should keep this (one way or another) but
> instead
> > everyone is now without it enabled by default.
> 
> I plan to do nothing, because I think it should be disabled by
> default
> like all other USE flags. I've CC'ed all of the maintainers who might
> want to add the default to IUSE, and apparently none of them do. The
> hardened project and base-system are also CCed/assigned in case one
> of
> them wanted to adopt the default.
> 
> The base profile is the wrong place to enable USE=cracklib, but there
> are better places. If none of the people in charge of those places
> want
> to enable the flag, then maybe it should remain disabled.

If USE=cracklib is ever removed from base/make.defaults, then this IUSE
default enabling should be done before it is removed for many of the
places where it helps password safety, not afterwards when some
maintainers happen to see you've done it some months later, after we
have dozens of users with "12345" passwords or something.

If you need more opposing, then consider this one, as long as this
preparation work isn't done. Just removing it because maintainers
didn't get to it in your timeline isn't something I would see OK. If
you want to make such a base profile change, then I believe you should
contact the maintainers and see which one wants it default disabled,
and which default enabled; do the default enabled changes and only
afterwards you can touch a base default USE flag, otherwise you are
making a change to all these maintainers packages without their
consent. It IS an effective change to their package, and you are
effectively doing non-maintainer changes to them.



Mart

Reply via email to