Do you think this is a security risk and if not is it a bad UI decision?

Adam Williamson awilliam at redhat.com
Sun May 5 18:35:18 UTC 2013


On Sun, 2013-05-05 at 14:07 -0400, Orcan Ogetbil wrote:
> On Fri, May 3, 2013 at 4:04 PM, Dan Mashal wrote:
>         Hi,
>         
>         In the latest Fedora 19 Beta TC2 install after I got through
>         the
>         initial steps of the install I started to setup my root
>         password.
>         
>         To my surprise my password was shown in plain text instead of
>         bullets.
> 
> 
> The obvious workaround is to use a temporary password during
> installation and on the first boot use passwd to change it (still
> leaves a small time window of vulnerability though). It is similar to
> removing pulseaudio upon installation to get the sound working.
> Surprisingly, Fedora keeps adding these "hidden" steps to complete a
> sane installation, yet adding a step to educate users about DE choices
> is still a taboo.

Can we please keep this discussion productive? It really irritates me
when people question other people's good faith for no valid reason.

Look, please remember: this change was committed to anaconda git master
less than a month ago. It was reviewed only by the anaconda team. It has
not yet made it to a single official Fedora (pre-)release; it has been
present only in Beta TC1, TC2 and TC3, which are *validation test
images*, they are not public pre-releases.

Whether you think the change was a good change or not, it is out of line
to suggest that the idea was somehow "adding these "hidden" steps to
complete a sane installation". The idea was to improve the usability of
the password entry dialog, on the understanding that the practical
security impact was minimal. Now we can argue with that assessment, and
that's what we're doing, but it would be really nice if people would
assume *good* faith on the part of other members of the project, not
*bad* faith. The anaconda team are working hard to make things better,
not worse, just like the rest of us.

It is ridiculous to suggest that "removing pulseaudio upon installation
to get the sound working" is some kind of ""hidden" steps to complete a
sane installation". In addition to all the objections above, it is
factually incorrect: in the vast majority of installations, sound works
better with PulseAudio than without it.

Look, please, by all means, calmly discuss the merits of the decision.
Just don't bring into question the motivations of its introduction
unless you have a damn strong factual basis for doing so.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net



More information about the devel mailing list