Do you think this is a security risk and if not is it a bad UI decision?

Orcan Ogetbil oget.fedora at gmail.com
Mon May 6 04:02:34 UTC 2013 

On Sun, May 5, 2013 at 2:35 PM, Adam Williamson wrote:
>
> On Sun, 2013-05-05 at 14:07 -0400, Orcan Ogetbil wrote:
> > On Fri, May 3, 2013 at 4:04 PM, Dan Mashal wrote:
> >         Hi,
> >
> >         In the latest Fedora 19 Beta TC2 install after I got through
> >         the
> >         initial steps of the install I started to setup my root
> >         password.
> >
> >         To my surprise my password was shown in plain text instead of
> >         bullets.
> >
> >
> > The obvious workaround is to use a temporary password during
> > installation and on the first boot use passwd to change it (still
> > leaves a small time window of vulnerability though). It is similar to
> > removing pulseaudio upon installation to get the sound working.
> > Surprisingly, Fedora keeps adding these "hidden" steps to complete a
> > sane installation, yet adding a step to educate users about DE choices
> > is still a taboo.
>
> Whether you think the change was a good change or not, it is out of line
> to suggest that the idea was somehow "adding these "hidden" steps to
> complete a sane installation". The idea was to improve the usability of
> the password entry dialog, on the understanding that the practical
> security impact was minimal. Now we can argue with that assessment, and
> that's what we're doing, but it would be really nice if people would
> assume *good* faith on the part of other members of the project, not
> *bad* faith. The anaconda team are working hard to make things better,
> not worse, just like the rest of us.
>
Sorry, I did not try to imply "*bad* faith" on any members of the
project. I try to look at it as posing challenges to filter out the
weak and let the fittest survive, which, I think, can be explained by
"*good* faith". I admire certain developers' imagination.

Going off-topic:
>
> It is ridiculous to suggest that "removing pulseaudio upon installation
> to get the sound working" is some kind of ""hidden" steps to complete a
> sane installation". In addition to all the objections above, it is
> factually incorrect: in the vast majority of installations, sound works
> better with PulseAudio than without it.
>
Well, unfortunately it did not work on a fresh F18 installation on a
rare hardware (onboard Intel HD Audio) a couple of weeks back. I
really did not want to spend time to figure out what was wrong. Just
guess what I did to fix it (and it worked rightaway) ...

> Look, please, by all means, calmly discuss the merits of the decision.
> Just don't bring into question the motivations of its introduction
> unless you have a damn strong factual basis for doing so.
I believe I do have a damn strong factual basis on everything I
claimed. Sorry if I could not manage to convince.

Best,
Orcan

More information about the devel mailing list