Heads up - Anaconda 22.17 will enforce 'good' passwords
Adam Williamson
adamwill at fedoraproject.org
Thu Jan 29 21:23:56 UTC 2015
On Thu, 2015-01-29 at 14:01 -0700, Chris Murphy wrote:
> On Wed, Jan 28, 2015 at 5:33 PM, Samuel Sieb <samuel at sieb.net> wrote:
>
> > I just don't understand the reasoning here. Sure, make it very
> > clear that
> > the chosen password is weak. Make me jump through several hoops
> > before accepting the weak password. But it's my computer! Why
> > can't I make the
> > (informed) choice to use a weak password?
>
> What was the reasoning from the Anaconda team the last time they
> tried to enforce a password policy change without consulting anyone
> else about it? It was conjecture. And they didn't ask any security
> experts about the idea in advance then either. Calm, rational
> criticism was met with stubborn condescension from the developers.
> It took a firestorm on devel@ to get them to change their mind.
>
> And this time, once again several people have offered calm, rational
> feedback (on anaconda-devel@) about how this doesn't improve
> security in any meaningful way, but does inhibit testing in a
> meaningful way. But this has been ignored and summarily rejected.
> While consistent with the track record, it's beyond tedious that
> anaconda devs tend to respond better to vinegar than honey.
>
> So, I'm not sure why you'd expect any kind of reasoning to be
> presented for yet another installer security mis-feature that's
> completely orthogonal to the original sshd proposal.
Seriously. Stop this. I have already asked people to stop assigning
negative motivations to others without due cause. This is not being
excellent to each other. The next person to do this is going into
moderation.
I have already explained that the change was made in response to
extensive discussion of a proposed Fedora 22 Change:
https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no
it is not hard to follow this discussion. Just go read the devel@
archives:
https://lists.fedoraproject.org/pipermail/devel/2015-January/206157.html is the start of the
thread
https://lists.fedoraproject.org/pipermail/devel/2015-January/206513.html is an example of someone not at all involved in anaconda development
proposing password strength enforcement
You were involved in that thread yourself, so you *know* this is not
just coming from anaconda.
The anaconda-devel-list discussion couldn't really be clearer about
the relationship to the Change proposal - the whole thread was kicked
off by the Change owner:
https://www.redhat.com/archives/anaconda-devel-list/2015-January/msg00026.html
It is simply and clearly _false_ to claim that "the Anaconda
team...tried to enforce a password policy change without consulting
anyone else about it?", when the change was in fact discussed on two
high-profile public project mailing lists, both threads which you
*posted in yourself*.
You may not like the change, I don't like it much either, but it's not
acceptable to cast entirely insupportable aspersions on the people
making it.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net
More information about the test
mailing list