On 16/02/2022 17:11, Stefan Schröder wrote:
I must say, I am very sure that the primar focus should always be on
locking things down as well as we can for*everyone* and as
*default*.
Yes, that'd be nice, but I don't think it's realistic. Having an opt-in via the proposed mechanism, it would be much easier to suggest alternative 'hardenend' configurations upstream if they didn't mess up the old defaults.
I'm having loads of trouble at work at present - everything is locked
down tight because of GDPR and £Millions in fines if things go wrong.
There's no way I'm going to lock my home system down like that. What's
the saying - the securest system is locked in a safe with no
connectivity (and totally unusable :-). There is a very strong trade-off
between "secure" and "usable", and different people have different
tolerances for friction.
For me, passwd/shadow is more than secure enough - learning pam is too
much effort/hassle for too little gain. For work, it's LDAP/2FA -
mistakes and breaches are costly.
All that's being asked for here is some way of telling the system where
on the usable/secure spectrum the computer should be configured. As I'm
fond of saying, one size does NOT fit all ...
Cheers,
Wol
