On Sun, Sep 02, 2007 at 05:20:42PM -0700, Steve Langasek wrote: > On Sun, Sep 02, 2007 at 07:38:23PM -0400, Roberto C. Sánchez wrote: > > > Just curious, what is the rationale for wanting to keep cracklib out of > > base? > > Size and complexity. Adding libpam-cracklib to base would be a 2MB increase > in the size of a minimal Debian system on i386, and add 5 packages to the > list of what has to be installed before the user can do something as simple > as set the initial root password. Also, in terms of modularity, I don't > think it makes sense for pam_unix to link to cracklib anyway when we have a > separate pam_cracklib module for that (whether it's in a separate package or > not). > > I also think that enabling cracklib password checking is probably not a > reasonable default for single-user systems, because however much we might > like users to use secure passwords, the hassle of disabling cracklib if the > user disagrees with us on this point is enough to make this a very > unpleasant user experience. Maybe if and when we have better up-front > documentation of what the password requirements are we could consider this > as a default, but I don't want users to go through the experience of hitting > five different password strength rules, one-by-one, in the > ever-more-frustrating process of trying to set a password. > OK. Good to know.
Thanks, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com
signature.asc
Description: Digital signature
