[CentOS] Fedora change that will probably affect RHEL

Sat Jul 25 18:45:25 UTC 2015
Jake Shipton <jakems at fedoraproject.org>

On 25/07/15 18:24, Scott Robbins wrote:
> On Sat, Jul 25, 2015 at 11:16:18AM -0600, Chris Murphy wrote:
>> On Sat, Jul 25, 2015 at 9:40 AM, Scott Robbins <scottro at nyc.rr.com> wrote:
>>> This might show up twice, I think I sent it from a bad address previously.
>>> If so, please accept my apologies.
>>>
>>>
>>>  In Fedora 22, one developer (and only one) decided that if the password
>>>  chosen during installation wasn't of sufficient strength, the install
>>>  wouldn't continue.  A bug was filed, and there was also a great deal of
>>>  aggravation about it on the Fedora testing list.  So, it was dropped.
>>>
>>>  However, like a US (and probably other countries) politician who has one
>>>  bad law suddenly exposed, it seems they are doing it for F23, judging from
>>>  a test installation. I've filed a bug if anyone wants to chime in and ask
>>>  them not to do it.
>>>
>>>  https://bugzilla.redhat.com/show_bug.cgi?id=1246771
>>
>> This is a good write up on the story:
>> https://lwn.net/Articles/639405/
>>
>> And the proposal for Fedora 23:
>> https://fedoraproject.org/wiki/Changes/Standardized_passphrase_policy
>>
>> And the discussion for Workstation's behavior:
>> https://lists.fedoraproject.org/pipermail/desktop/2015-July/012588.html
> 
> Kevin Fenzi responded to my post on Fedora testing saying that at least it
> is  FESCO decisions this time, not just a one man one, and asked for
> patience.  (My knee-jerk response is why are they even discussing it after
> last time, but I refrained.)  Thank you for the links Chris.
> 

I can certainly see why it can annoy certain people.

I think a better solution to suite both worlds would be to simply have a
boot flag on the installation media such as maybe
"passwordcheck=true/false" to enable/disable the strength and check
features of password entry and simply show a text box (and confirm) if
it is disabled without any password checking.

This way those who need the check disabled for quick deployments can do
so and put a stronger password in later at their own time and choosing.

Meanwhile those who wish to have the password checked can also do so.

Thus, both people happy :-).

Personally, I am neither against the idea, nor for it. It doesn't affect
me as I usually use strong passwords regardless.

Kind Regards,
Jake Shipton (JakeMS)
Twitter: @CrazyLinuxNerd
GPG Key: 0xE3C31D8F
GPG Fingerprint: 7515 CC63 19BD 06F9 400A DE8A 1D0B A5CF E3C3 1D8F