[CentOS] Another Fedora decision

Sat Jan 31 15:04:22 UTC 2015
James B. Byrne <byrnejb at harte-lyne.ca>

On Sat, January 31, 2015 05:14, Johnny Hughes wrote:
> On 01/30/2015 06:09 PM, Scott Robbins wrote:
>> On Fri, Jan 30, 2015 at 11:27:55PM +0000, Marko Vojinovic wrote:
>>> On Fri, 30 Jan 2015 14:15:05 -0800
>>> Akemi Yagi <amyagi at gmail.com> wrote:
>>>> On Fri, Jan 30, 2015 at 2:04 PM, Scott Robbins
>>>> <scottro at nyc.rr.com>
>>>> wrote:
>>>>>> Centos 7 does that as well.
>>>>> Heh, I guess I've used good passwords in my installs then.
>>>> I have to tap it twice all the time. But don't tell this to
>>>> anyone! ;-)
>>> OP's point is that probably in RHEL8 you won't be able to do even
>>> that anymore.
>> Exactly.  There is some complaining going on on the Fedora testing
>> list,
>> not sure where else one can protest.
> Well, protesting here would be meaningless .. as is protesting systemd
> here.  CentOS-8 will have whatever is in the RHEL-8 source code,
> exactly
> as it is in that source code minus branding.  Just like CentOS-2.1, 3,
> 4, 5, and 6.  Our goal is to rebuild the source code exactly, bugs and
> all.  We want all the behaviors and the experience to be identical in
> every way.
> If you want to effect change before it gets in RHEL, then Fedora is
> the place.  If you want to get it changed in CentOS, then buy RHEL
> and providing feedback there is the way.  We are, by design, exactly
> as Red Hat pushes the RHEL source code.

Reading between the lines of the Fedora list discussion leads me to
the conclusions that:

1. The password strength decision is driven by RH corporate.

2. There is not going to be any back-off by the developers.

3. This is going to be in RH-8.

4. There is absolutely no rational argument that can be made to anyone
alter any of this.

5. Protesting there is evidently meaningless as well.

The Fedora Server WG has already asked that this be optionally
enforced if it cannot be removed.  Answer: No.

This change was not discussed, it was announced.  There has been zero
support for it from the community and a large amount of criticism. 
All requests for information respecting the rational and evidential
support driving he change are met with what can only be described as
political doublethink amounting to:

See the unrelated discussion on this thread over here; and when you
discover that it has nothing to do whatsoever with your request then
see that tangential thread over there; and when you persistently
return to your original request because there is no answer in either
then be told that you are a conspiracy theory nut-case.

> On Fri, Jan 30, 2015 at 2:49 PM, Chris Murphy
>  <lists at colorremedies.com> wrote:
> On Fri, Jan 30, 2015 at 1:21 PM, Adam Williamson
>  <adamwill at fedoraproject.org> wrote:
>> On Fri, 2015-01-30 at 12:59 -0700, Chris Murphy wrote:
>>> What's the actual, real world,
>>> non-imaginary impetus behind the change?
>> It's exactly what all the list posts I pointed you to say it is.
> Please go find quotes because I just went through them all and I
> found:
> "Better security is always a plus."
> "Instead I propose that we increase our minimum password..."
> "In principle I don't disagree with it; But IMO it can not be
> a replacement to stronger defaults."
> And that's it. No actual reasons, let alone any data to back it up.
> And all three of those statements have flaws which I've already
> addressed.
>> I don't know how to stop the conspiracy virus which causes
>> people to leap to the conclusion that there's some shadowy
>> secret motive behind every change they don't like, but there
>> *isn't*.

( Odd, is it not, that Mr. Williamson professes that there is no
secret motive but cannot actually provide one when asked. )

The most telling line in the entire thread, for me, is this one:

On Fri, 2015-01-30 at 12:59 -0700, Chris Murphy wrote:
> When you stop trusting me. I stop trusting you. And that's a
> huge problem, and thus far the engineering types are looking
> at this with narrow vision, it's 2 more key presses. They
> aren't looking at this at all from the perspective of its
> connotation.

Personally, from the outside looking in, this all smells of a pointy
haired boss directive that the devs are trying to cover their
collective asses from.  Of course, my corporate days are long behind
me so perhaps things have changed.  Equally it could be simple
incompetence by highly strung people that do not like being criticised
for an ill-considered hasty decision but who actually have no evidence
to support it.

I have to go off now and find a nice bone bed to lie down in; and

***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3