On Wed, Jan 28, 2015 at 5:33 PM, Samuel Sieb <samuel@xxxxxxxx> wrote: > I just don't understand the reasoning here. Sure, make it very clear that > the chosen password is weak. Make me jump through several hoops before > accepting the weak password. But it's my computer! Why can't I make the > (informed) choice to use a weak password? What was the reasoning from the Anaconda team the last time they tried to enforce a password policy change without consulting anyone else about it? It was conjecture. And they didn't ask any security experts about the idea in advance then either. Calm, rational criticism was met with stubborn condescension from the developers. It took a firestorm on devel@ to get them to change their mind. And this time, once again several people have offered calm, rational feedback (on anaconda-devel@) about how this doesn't improve security in any meaningful way, but does inhibit testing in a meaningful way. But this has been ignored and summarily rejected. While consistent with the track record, it's beyond tedious that anaconda devs tend to respond better to vinegar than honey. So, I'm not sure why you'd expect any kind of reasoning to be presented for yet another installer security mis-feature that's completely orthogonal to the original sshd proposal. If this is really an improvement in security, which it isn't because an 8 character "good" password still has very low entropy, then it should have to go through the feature process, which it hasn't. Such enforcement doesn't happen on Ubuntu, openSUSE, Android, iOS, Windows, or OS X and I think the anaconda developers need to be very clear what problem they're trying to address. Because right now it's a faux-solution in search of a problem. -- Chris Murphy -- test mailing list test@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe: https://admin.fedoraproject.org/mailman/listinfo/test
