On Fri, 22 Dec 2017 12:30:35 -0500 Michael Orlitzky <m...@gentoo.org> wrote:
> On 12/21/2017 02:27 PM, Jeroen Roovers wrote: > > On Thu, 21 Dec 2017 10:10:30 -0500 > > Michael Orlitzky <m...@gentoo.org> wrote: > > > >> The "cracklib" USE flag ... this commit removes it from > >> base/make.defaults. > >> > >> Closes: https://bugs.gentoo.org/635698 > > > > As there: > >> ... > > > > Let me (easily) counter that by stating that having cracklib in > > place makes people pick better passwords. Especially the brand new > > Linux users we see so many of might benefit from a default > > mechanism that helps them make better security choices, but I am > > sure even advanced users and systems administrators might set a > > "temporary" POC password "quickly" and then later see their systems > > go into production without a second thought about using stronger > > passwords. > I don't think that "some people want it enabled" is enough > justification to keep this in the base profile that is the parent of > all others. OK, let me explain again. In #gentoo we give a lot of attention and support to people who want to set up full disk encryption, tor, VPNs, and other security mechanisms, and this tells me that they actually want security. By saying that "some people [might] want it enabled" you ignore one of the main reasons why people turn to Gentoo Linux in the first place. Having it enabled by default prompts new users and veteran users alike to think about password safety, because this means that you get reminded of possibly bad passwords *during* installation/while setting up your services. People can always disable it easily when they feel they do not need it (any longer). > If you disagree, please make your voice heard on the bug. I already did that parallel to my response here. Note that *this* is the proper venue for discussing sweeping changes like this, and that a bug report that saw no input from anyone else for a couple of months is not. You already went ahead and committed that change without proper discussion and waving away the input you did get suggesting you should drop it, so I have now reverted it. Next time, please discuss your problems with sane defaults like these before doing anything rash. As quoted from the bug report, please address these: 1) Why you think having USE=cracklib enabled by default is a *problem* which needs to be addressed by way of its removal. My original response questioned that, but you didn't actually answer it. 2) What you plan to do to have USE=cracklib enabled by default. Two people suggested you should keep this (one way or another) but instead everyone is now without it enabled by default. 3) This bug report sat there for two months without notice to gentoo-dev@ (and largely immaterial, without even a response from the teams you CC'd). There was no proper discussion about a change that affects not just developers, but all users, and hardly anyone knew about it until you posted your patch. Kind regards, jer
