Richard Hughes wrote: > On 12 October 2011 17:44, Kevin Fenzi <kevin@xxxxxxxxx> wrote: >> All existing users of the Fedora Account System (FAS) at >> https://admin.fedoraproject.org/accounts are required to change their >> password and upload a NEW ssh public key before 2011-11-30. > > I have to upload a *new* public key? Why should I have two sets of keys? (or upload a new key to all the other f***ing servers I'm using) +1 >> * Nine or more characters with lower and upper case letters, digits and >> punctuation marks. >> * Ten or more characters with lower and upper case letters and digits. >> * Twelve or more characters with lower case letters and digits >> * Twenty or more characters with all lower case letters. > > This is just insane. My existing password is 8 digits and > alphanumeric, and given that I have to enter it over and over again > (and prove "I'm human", another WTF) when creating updates I'm really > wondering if I want to bother. > > Talk about putting up barriers. +1 again! This stupid security paranoia really needs to stop! There is NO concrete reason why we're being forced to change the password and the SSH key, plus the new password requirements are too strict. It's bad enough that we have to generate a new Koji client certificate every 6 months for no reason. (The expiration time on these should be infinite, only explicitly revoked certs should be rejected.) Now after the whole FPCA stuff (which was enforced really radically, with a tight deadline, mass orphaning of packages and no deadline extension even though many people hadn't complied by the posted deadline, when the old ICLA had served us well for years (so why the rush?)), we're going to once again lose many contributors, and packages with them, due to stupid, unnecessary and inflexible bureaucratic policies being enforced in an automated and draconian way. And once again we're going another step further from TRUSTING our contributors (to either keep their credentials secure or replace/revoke them, in this case). What will come next? Will you start taking our (actual, biometric) fingerprints? Iris scans? Will we only be able to log into Fedora infrastructure in the presence of armed security guards? It's time to stop the nonsense! Kevin Kofler -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
