FESCO request to revert password confirmation change in F22
dcantrell at redhat.com
Fri Mar 6 15:52:34 UTC 2015
On Fri, Mar 06, 2015 at 09:43:33AM -0500, Adam Jackson wrote:
> As resolved by FESCO in our meeting on 4 March 2015, FESCO requests that
> anaconda revert a password behaviour change in the UI from F22,
> restoring the "double-click to confirm weak password" behaviour from F21
> and earlier.
>From what I'm reading in the meeting logs and the ticket comments, it
appears the revert decision is basically a temporary solution and a more
formal security policy will be discussed later. We had technical arguments
in favor of the change originally, but I have yet to see technical arguments
against the change come together in any sort of concrete policy.
I wish a formal distribution and/or per-variant security policy would come
from FESCo (or a committee directed by FESCo) so we could resolve the
concerns now and going forward. I don't see the revert decision as being a
good step in that direction, only because there was really no technical
discussion or reasoning around it.
> As for how that's realized: I'm not picky. If it makes more sense from
> a development or maintenance perspective to keep the revert in fedora
> package git rather than rhinstaller upstream, that's fine; if it makes
> more sense to revert upstream as well, that's fine too.
Without an official policy on the matter and only a temporary solution for
now, upstream won't be changing. Fedora will need to carry this deviation
as a patch in package git for F-22.
> FESCO is prepared to work with anaconda and other stakeholders to define
> security models for the various Fedora products. By clarifying our
> needs we hope to avoid this kind of contention in the future.
The discussion for this might as well start now -or- at least early enough
so it's not too late for F-23.
David Cantrell <dcantrell at redhat.com>
Manager, Installer Engineering Team
Red Hat, Inc. | Westford, MA | EST5EDT
More information about the devel