Heads up - Anaconda 22.17 will enforce 'good' passwords

Adam Williamson adamwill at fedoraproject.org
Thu Jan 29 21:23:56 UTC 2015 

On Thu, 2015-01-29 at 14:01 -0700, Chris Murphy wrote:
> On Wed, Jan 28, 2015 at 5:33 PM, Samuel Sieb <samuel at sieb.net> wrote:
> 
> > I just don't understand the reasoning here.  Sure, make it very 
> > clear that
> > the chosen password is weak.  Make me jump through several hoops 
> > before accepting the weak password.  But it's my computer!  Why 
> > can't I make the
> > (informed) choice to use a weak password?
> 
> What was the reasoning from the Anaconda team the last time they 
> tried to enforce a password policy change without consulting anyone 
> else about it? It was conjecture. And they didn't ask any security 
> experts about the idea in advance then either. Calm, rational 
> criticism was met with stubborn condescension from the developers. 
> It took a firestorm on devel@ to get them to change their mind.
> 
> And this time, once again several people have offered calm, rational 
> feedback (on anaconda-devel@) about how this doesn't improve 
> security in any meaningful way, but does inhibit testing in a 
> meaningful way. But this has been ignored and summarily rejected. 
> While consistent with the track record, it's beyond tedious that 
> anaconda devs tend to respond better to vinegar than honey.
> 
> So, I'm not sure why you'd expect any kind of reasoning to be
> presented for yet another installer security mis-feature that's 
> completely orthogonal to the original sshd proposal.

Seriously. Stop this. I have already asked people to stop assigning 
negative motivations to others without due cause. This is not being 
excellent to each other. The next person to do this is going into 
moderation.

I have already explained that the change was made in response to 
extensive discussion of a proposed Fedora 22 Change:

https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no

it is not hard to follow this discussion. Just go read the devel@ 
archives:

https://lists.fedoraproject.org/pipermail/devel/2015-January/206157.html is the start of the 
thread
https://lists.fedoraproject.org/pipermail/devel/2015-January/206513.html is an example of someone not at all involved in anaconda development 
proposing password strength enforcement

You were involved in that thread yourself, so you *know* this is not 
just coming from anaconda.

The anaconda-devel-list discussion couldn't really be clearer about 
the relationship to the Change proposal - the whole thread was kicked 
off by the Change owner:

https://www.redhat.com/archives/anaconda-devel-list/2015-January/msg00026.html

It is simply and clearly _false_ to claim that "the Anaconda 
team...tried to enforce a password policy change without consulting 
anyone else about it?", when the change was in fact discussed on two 
high-profile public project mailing lists, both threads which you 
*posted in yourself*.

You may not like the change, I don't like it much either, but it's not 
acceptable to cast entirely insupportable aspersions on the people 
making it.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net

More information about the test mailing list