CentOS - Jul 2015 - Fedora change that will probably affect RHEL

On Sat, Jul 25, 2015 at 11:16:18AM -0600, Chris Murphy
wrote:
> On Sat, Jul 25, 2015 at 9:40 AM, Scott Robbins <scottro at
nyc.rr.com> wrote:
> > This might show up twice, I think I sent it from a bad address
previously.
> > If so, please accept my apologies.
> >
> >
> >  In Fedora 22, one developer (and only one) decided that if the
password
> >  chosen during installation wasn't of sufficient strength, the
install
> >  wouldn't continue.  A bug was filed, and there was also a great
deal of
> >  aggravation about it on the Fedora testing list.  So, it was dropped.
> >
> >  However, like a US (and probably other countries) politician who has
one
> >  bad law suddenly exposed, it seems they are doing it for F23, judging
from
> >  a test installation. I've filed a bug if anyone wants to chime in
and ask
> >  them not to do it.
> >
> >  https://bugzilla.redhat.com/show_bug.cgi?id=1246771
> 
> This is a good write up on the story:
> https://lwn.net/Articles/639405/
> 
> And the proposal for Fedora 23:
> https://fedoraproject.org/wiki/Changes/Standardized_passphrase_policy
> 
> And the discussion for Workstation's behavior:
> https://lists.fedoraproject.org/pipermail/desktop/2015-July/012588.html
Kevin Fenzi responded to my post on Fedora testing saying that at least it
is  FESCO decisions this time, not just a one man one, and asked for
patience.  (My knee-jerk response is why are they even discussing it after
last time, but I refrained.)  Thank you for the links Chris.

-- 
Scott Robbins
PGP keyID EB3467D6
( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 )
gpg --keyserver pgp.mit.edu --recv-keys EB3467D6

On 25/07/15 18:24, Scott Robbins wrote:
> On Sat, Jul 25, 2015 at 11:16:18AM -0600, Chris Murphy wrote:
>> On Sat, Jul 25, 2015 at 9:40 AM, Scott Robbins <scottro at
nyc.rr.com> wrote:
>>> This might show up twice, I think I sent it from a bad address
previously.
>>> If so, please accept my apologies.
>>>
>>>
>>>  In Fedora 22, one developer (and only one) decided that if the
password
>>>  chosen during installation wasn't of sufficient strength, the
install
>>>  wouldn't continue.  A bug was filed, and there was also a
great deal of
>>>  aggravation about it on the Fedora testing list.  So, it was
dropped.
>>>
>>>  However, like a US (and probably other countries) politician who
has one
>>>  bad law suddenly exposed, it seems they are doing it for F23,
judging from
>>>  a test installation. I've filed a bug if anyone wants to chime
in and ask
>>>  them not to do it.
>>>
>>>  https://bugzilla.redhat.com/show_bug.cgi?id=1246771
>>
>> This is a good write up on the story:
>> https://lwn.net/Articles/639405/
>>
>> And the proposal for Fedora 23:
>> https://fedoraproject.org/wiki/Changes/Standardized_passphrase_policy
>>
>> And the discussion for Workstation's behavior:
>> https://lists.fedoraproject.org/pipermail/desktop/2015-July/012588.html
> 
> Kevin Fenzi responded to my post on Fedora testing saying that at least it
> is  FESCO decisions this time, not just a one man one, and asked for
> patience.  (My knee-jerk response is why are they even discussing it after
> last time, but I refrained.)  Thank you for the links Chris.
> 
I can certainly see why it can annoy certain people.

I think a better solution to suite both worlds would be to simply have a
boot flag on the installation media such as maybe
"passwordcheck=true/false" to enable/disable the strength and check
features of password entry and simply show a text box (and confirm) if
it is disabled without any password checking.

This way those who need the check disabled for quick deployments can do
so and put a stronger password in later at their own time and choosing.

Meanwhile those who wish to have the password checked can also do so.

Thus, both people happy :-).

Personally, I am neither against the idea, nor for it. It doesn't affect
me as I usually use strong passwords regardless.

Kind Regards,
Jake Shipton (JakeMS)
Twitter: @CrazyLinuxNerd
GPG Key: 0xE3C31D8F
GPG Fingerprint: 7515 CC63 19BD 06F9 400A DE8A 1D0B A5CF E3C3 1D8F

On 07/25/2015 11:45 AM, Jake Shipton wrote:
> I think a better solution to suite both worlds would be to simply have a
> boot flag on the installation media such as maybe
> "passwordcheck=true/false"
https://xkcd.com/1172/

It's practically a law that every time someone's workflow is broken, 
they request an option to change it.  Personally, I'm against it. 
Putting a weak password into the installer *is* a request for a weak 
password.  There's no reason to request a weak password twice (with a 
boot arg and a weak password) when the alternative is to graphically 
represent the password strength and let the user decide.

I don't like the change, but at the same time I do all of my installs 
with kickstart, and such installs are not affected. Kickstart files can 
contain a hashed password, and since a hashed password can't be checked, 
it can't be rejected.  Thus, any decision FESCO makes won't affect me at
all.