Heads up - Anaconda 22.17 will enforce 'good' passwords

Adam Williamson adamwill at fedoraproject.org
Thu Jan 29 22:18:45 UTC 2015 

On Thu, 2015-01-29 at 15:09 -0700, Chris Murphy wrote:
> On Thu, Jan 29, 2015 at 2:23 PM, Adam Williamson <
> adamwill at fedoraproject.org> wrote:
> > Seriously. Stop this. I have already asked people to stop 
> > assigning negative motivations to others without due cause. This 
> > is not being excellent to each other.
> 
> "Your user password for your computer is arbitrarily unacceptable to 
> the Fedora Project" is not being excellent either.

Come on, that's sophistry. You can't interpret code as a personal 
insult.

(It's not 'arbitrary', anyway. It's using a well-known and widely-used 
password quality library.)

> 
> > 
> > The anaconda-devel-list discussion couldn't really be clearer 
> > about the relationship to the Change proposal - the whole thread 
> > was kicked off by the Change owner:
> > 
> > https://www.redhat.com/archives/anaconda-devel-list/2015-January/msg00026.html
> 
> That change proposal was rejected, so how is it that one of its 
> proposed changes has managed to make it through to the installer 
> barely two weeks later?

It's not actually something that is part of the Change's scope, but an 
alternative way to try and achieve the same goal: the overall thought 
process was "well, what the Change proposer really wants is to reduce 
the likelihood of compromise via password access to the root account, 
but no-one was particularly keen on the approach he proposed, so one 
different way to do it is to improve the strength of the root 
password". As bcl's mail explicitly says:

https://www.redhat.com/archives/anaconda-devel-list/2015-January/msg00030.html

> The substantive discussion on devel@ was centered on the sshd 
> portion, not changes to the installer enabling password quality 
> enforcement. That happened on anaconda-devel@ which most Fedora 
> users don't even monitor let alone participate. The main notice of 
> this change actually occurring happened for the first time in test@ 
> which arguably most users also don't monitor.

If someone's interested in Fedora development, they need to read the 
Fedora development mailing lists. *Any* code change is presumably of 
interest to someone, or it wouldn't be done in the first place; this 
is not a reason for us to go mailing users@ every time someone commits 
to anaconda.

You can argue that the change is significant enough to be a Change, I 
guess, though personally I don't think it really is, unless it affects 
kickstart installs (in which case people would be surprised at their 
kickstarts suddenly not working right any more - but I don't think it 
does). It's a bit hard to argue about, though, since one of the things 
the Change process appears to be missing is an actual definition of 
what should be considered to constitute a 'Change', exactly. It's thus 
impossible to declare conclusively that X or Y *must* be a Change, 
unless FESCo has stated it or something. You can suggest that it 
should be, but it's impossible to make a completely definitive 
declaration since there's literally no basis on which you could do 
that outside of a formal FESCo vote or something.

https://fedoraproject.org/wiki/Changes/Policy
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net

More information about the test mailing list