Nathan Middleton wrote: > I'm in no way a developer, but having an interest in Gobo and wanting > it to succeed I'd like to just mention that you run a risk of possibly > being seen as "insecure" to some people by allowing a user to install > with an empty root password. I'm still trying to figure out how this > would ever be a valid installation option, ever. IDK, just my 2 cents > worth.
I don't see how an empty password is much more "insecure" than having your password be "password" and telling everyone about it. SSH often disallows logging in as root by default, even when it is run, I think (even though having other users that can sudo is equally insecure, especially when root is named something unknown like 'gobo'). If the only people who have physical access to the computer should be able to control root, and have really bad memories, I think an obvious root password might be the safest solution. Again, the existence of a bad password doesn't mean you'll ever even be given the chance to provide it or see a login prompt. On the other hand, I recall some Gobo scripts use sudo failure as choosing not to provide a password, telling you to press enter if you want to proceed without using the password. Empty root password should probably be considered like, say, not having proc and sysfs in your fstab: not necessarily a correct system state. Isaac _______________________________________________ gobolinux-devel mailing list gobolinux-devel@lists.gobolinux.org http://lists.gobolinux.org/mailman/listinfo/gobolinux-devel
