On Fri, 2015-01-30 at 14:49 -0700, Chris Murphy wrote: > > I just don't see any consideration here except specious statements > like better security is always a plus. That was the summary extent > of the entire decision making process.
Well, no, AFAICS there isn't anything like that. It was a fairly lightly considered change. The threat it's primarily addressing is that sshd with password login is enabled out of the box in at least some of the configurations anaconda deploys, and is therefore vulnerable to brute force attacks. Secondarily it's about local user accounts. I think the main point is the one nirik made; I don't think the devs agree with your assessment of how significant this is. It's a minor inconvenience; you just have to come up with a password that passes the check, or use a kickstart. So I don't think they agree that it needs a full-blown security audit and FESCo review or whatever, because they don't think it's really that huge of a change in behaviour. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net -- test mailing list test@lists.fedoraproject.org To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
