Re: FESCO request to revert password confirmation change in F22

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2015-03-06 at 10:52 -0500, David Cantrell wrote:
> I wish a formal distribution and/or per-variant security policy would come
> from FESCo (or a committee directed by FESCo) so we could resolve the
> concerns now and going forward.  I don't see the revert decision as being a
> good step in that direction, only because there was really no technical
> discussion or reasoning around it.

Speaking only for myself: yeah, I didn't like it either.  I voted
against it (asking for a revert) in the 28 February meeting because I
was hoping the engineering teams actually involved would be willing to
work with each other.  That appears not to have happened, which I
consider deeply disappointing all around.

There wasn't _no_ technical discussion.  Plenty of people were willing
to point out that pwquality being overzealous was making it reject
passwords that would otherwise have passed on F21, or would be expected
to be "sufficiently strong" according to whatever metric.  Plenty of
people were willing to point out the ways policy might vary here
depending on the deployment scenario.

But nobody was willing to make those ideas manifest in, you know, code.

So the technical consideration (I felt) we were left with was not
"regressing" relative to F21.  That is a stunningly weak justification,
given that what we're regressing from wasn't especially well-defined and
that we change plenty of things in every release, but here we are.

> > FESCO is prepared to work with anaconda and other stakeholders to define
> > security models for the various Fedora products.  By clarifying our
> > needs we hope to avoid this kind of contention in the future.
> 
> The discussion for this might as well start now -or- at least early enough
> so it's not too late for F-23.

Indeed.  I'll bring this back to fesco to find someone to head this up.

- ajax

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux