FESCo Meeting Minutes (2015-03-04)

Chris Murphy lists at colorremedies.com
Thu Mar 5 20:10:24 UTC 2015 

On Thu, Mar 5, 2015 at 8:41 AM, Adam Jackson <ajax at redhat.com> wrote:
> On Thu, 2015-03-05 at 00:45 +0100, Kevin Kofler wrote:
>> Adam Jackson wrote:
>> > * #1412 anaconda password change is causing consternation among the user
>> >   community please review this policy decision  (ajax, 18:24:10)
>> >   * AGREED: FESCo would like anaconda to turn back on the "double-done"
>> >     option for Fedora 22.
>>
>> Thanks!
>>
>> >     Better solutions should be investigated for F23.  (ajax, 18:43:33)
>>
>> What better solutions? What password I pick should be none of the
>> installer's business.
>
> False.  It's entirely reasonable for a product to mandate an appropriate
> security policy,

Ajax, when you say things like this, this is what it sounds like "Hey,
nice football you have there. Guess what? I'm gonna TAKE THAT BALL
FROM YOU!!"

I consider this an invitation to scrimmage. How serious does a random
person take a game? You don't really know how seriously they take it,
do you? How dirty will they get? Is mud OK? Cuts and scrapes? Elbows
to the face?  This is why there are rules so both parties know how bad
it could get in advance, and know whether the game is worth playing or
not.

There is no actual game here, because it hasn't been played in
something like 30 years. The user has the ball when it comes to their
devices. It's completely ceded, the ship has sailed, no one touches
this in any meaningful way. The most significant change to password
enforcement in this time?

Mobile. No lock even required.

How about websites?  They have a ball sharing program. The rules are
clearly stated in advance. I cede that the site has a lot to lose in
reputation if my account is breached, and even my friends, family, and
the site's customers can be at risk too. So even if I don't like all
the rules, I tacitly accept the ultimate authority, and the higher
password burden. Their system isn't really my device after all is it?

My device? I have the ball. You wanna try and take it away from me?
*grin* I'm not daring you or anything. This wasn't my idea. I really
don't want to fight. But when you say "appropriate" as an adjective, I
hear it as a verb which means to take something away without my
permission. And since this game hasn't, to my knowledge, ever been
played before, what are the rules? How vicious will it get? Are you
really prepared to find out? How well do you take elbows to the face?
I think I can take them pretty well.

Do you not see the escalating can of worms, just by the choice of
language you've selected? It's asking for a fight whether you
recognize it or not, whether you intend it or not. Maybe you're just
confused. Maybe Anaconda thought I really wasn't that attached to the
ball, because they don't get outdoors all that much. But it was all
just a simple misunderstanding. No harm done!

I think Fedora users are more well grounded than their Windows and OS
X counterparts. Apple, Microsoft, Google, they haven't dared to look
the user in the eye and suggest the ball isn't theirs when it comes to
their own device. Bet they've looked into it. If they were to do what
Anaconda just did (and, that's twice now), I'd expect entire new
categories of profanity being invented overnight. I'd expect those
companies would prefer a zombie apocalypse, hindsight being 20/20 and
all.

So. Ajax. I see you looking at my ball.

Now I understand for legacy/historical reasons, the installer sets the
password as a practical matter because there hasn't been a first boot
setup program that does this. That's entirely different from a minimum
password quality enforcement policy. The best we can do in the area of
passwords is make them unnecessary; second best is something like an
OpenSCAP application that can run on any DE that helps the sysadmin
(who by in large is the single user for the system) do a better job
setting strong passwords and disabling risky services, etc.

But right now Fedora is being really dissonant, because we're
suggesting a fight with the user after decades of giving up on that
battle. Really? Why now? Meanwhile, Fedora enables sshd on Server by
default. That's opt out, not opt in. By making sshd disabled by
default it puts in on par with the password: both become opt in, both
states are transparent to the user. You do not get to hand waive about
risky services that are silently enabled by default while blaming the
user (for their password as well as not disabling a service they
didn't know was on in the first place).

OK please stop looking at my ball, you're making me nervous.

We do have serious problems, and we really need a big picture OS
overview for making secure systems the default, and more easily
hardening them further. But right or wrong, irrational or not, the way
you get possession of this particular ball isn't to take it. You have
to make the user hand it to you. If you do this correctly, they will,
if it's even necessary. But if you try to take it from them, it will
thwart all other efforts.


-- 
Chris Murphy

More information about the devel mailing list