#fedora-meeting log

15:00:06 <stickster> #startmeeting Fedora Workstation WG
15:00:06 <zodbot> Meeting started Wed Apr  1 15:00:06 2015 UTC.  The chair is stickster. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:06 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic.
15:00:09 <stickster> #meetingname workstation
15:00:09 <zodbot> The meeting name has been set to 'workstation'
15:00:16 <stickster> #topic Roll call!
15:00:32 <mcatanzaro> Hola
15:00:46 <stickster> o/ :-)
15:00:59 <cschalle_> hola
15:01:15 * jwb is 1/2 here
15:01:15 <kalev> hullo
15:02:01 <stickster> #chair cschalle_ kalev mclasen_ otaylor rdieter_work
15:02:01 <zodbot> Current chairs: cschalle_ kalev mclasen_ otaylor rdieter_work stickster
15:02:10 <stickster> oops
15:02:12 <stickster> #chair mcatanzaro
15:02:12 <zodbot> Current chairs: cschalle_ kalev mcatanzaro mclasen_ otaylor rdieter_work stickster
15:02:14 <stickster> Sorry!
15:02:32 * mclasen_ is here
15:02:38 * otaylor is here
15:02:51 * cschalle_ is here
15:03:10 * stickster notes Ryan is now on BNE time so he won't make it today for sure
15:03:46 * stickster plunges ahead, may be a short session today
15:04:03 <stickster> #topic pwquality changes
15:04:32 <jwb> this is for f23 right?
15:04:34 <stickster> There are actually two subtopics here... One is state of F22 and what needs to be modified to make Workstation do the right thing
15:05:01 <jwb> i think you guys kind of ran out of time for f22.  freeze is in effect
15:05:20 <mcatanzaro> I believe FESCo asked anaconda to revert their changes before freeze, so for F22 we should not need to do anything if I'm not mistaken.
15:05:37 <stickster> Yeah, sgallagh I think can confirm that, mcatanzaro
15:05:43 <mcatanzaro> Or maybe it's a beta freeze exception...?
15:05:58 <jwb> uh... they didn't do that
15:06:20 <sgallagh> They didn't, but it's a blocker bug.
15:06:21 <stickster> #link https://fedorahosted.org/fesco/ticket/1412
15:06:27 <sgallagh> It won't *exit* freeze without being fixed.
15:06:28 <mcatanzaro> Beta blocker: https://bugzilla.redhat.com/show_bug.cgi?id=1191842
15:06:49 <sgallagh> https://github.com/rhinstaller/anaconda/pull/59 should get merged today
15:07:13 <mcatanzaro> "From 2015-03-25 FESCo meeting:
15:07:15 <mcatanzaro> AGREED: In f22, default back to f21 anaconda password behavior, ask anaconda developers, fedora-release and releng folks to make this change happen before Beta freeze."
15:07:25 <sgallagh> That will define the base policy. If Workstation wants something else, it can be overridden.
15:07:41 <sgallagh> But this is what you will get in Beta if you make no changes.
15:07:57 <jwb> mcatanzaro, right, that isn't a revert.  anyway, the effect is similar enough
15:07:58 <stickster> sgallagh: Shouldn't that be '--nostrict' and not '--notstrict' ?
15:08:02 <stickster> sgallagh: See https://github.com/rhinstaller/anaconda/commit/e7e86a23d56bde2b2493d17c99b0781508435993
15:08:08 <sgallagh> stickster: Trust me.
15:08:16 <sgallagh> The code and the commit comment disagree.
15:08:24 <sgallagh> --notstrict is honored by the code
15:08:48 <stickster> sgallagh: Yep, just saw it. The docs were wrong :-)
15:08:55 <sgallagh> bcl is going to correct that in the kickstart docs
15:08:55 <stickster> sgallagh: Thanks!
15:08:56 <kalev> excellent, thanks for making this happen, sgallagh
15:09:02 <stickster> sgallagh++
15:09:18 <stickster> ^ Note you guys can give some karma cookies this way ;-)
15:09:32 <sgallagh> So the remaining question is whether the Workstation product wants to use the base default or tweak it further.
15:10:09 <kalev> sgallagh: what is your recommendation?
15:11:02 <jwb> sgallagh, for f23 not f22, right?
15:11:04 <sgallagh> I wasn't making one. If you folks would prefer something different, I'll help you get that into your productimg package
15:11:17 <kalev> I think we should be fine for now
15:11:18 <sgallagh> jwb: You can do it for F22 with a productimg override file.
15:11:29 <jwb> sgallagh, ngh...
15:11:43 <sgallagh> jwb: I said "can", not "must
15:11:55 <mcatanzaro> Here is my recommendation: https://lists.fedoraproject.org/pipermail/desktop/2015-March/011776.html   <-- minquality should be 1, because anything else misunderstands how pwquality is intended to be used.  minlen should be enforced by pwquality and not anaconda....
15:12:09 <jwb> i don't see it being beta blocker candidate for f22, so i think focusing on f23 is probably better
15:12:18 <rdieter> here, sorry (pulled away @dayjob)
15:12:43 <sgallagh> /me notes that as long as --notstrict is in play, effectively any password will work, just with an extra click to confirm
15:12:50 * stickster would recommend we leave F22 be, since we have the override available. That lets users get what they want without unnecessary confusion. Agreed with jwb
15:13:02 <kalev> yes, I agree too
15:13:21 <mcatanzaro> Yes, for F22, we should just keep the F21 behavior, so there is no urgent need for us to change anything.
15:13:21 <mclasen_> yeah, letting users override is my main concern
15:13:48 <Corey84> would give more time for solid documentation too i'd think
15:13:49 <kalev> sgallagh's pull request above adds the Done button double click override back
15:13:54 <stickster> For f23 what I recall is that most folks (?) wanted to get everything operating under the same pwquality policy. So that's the second subtopic here. :-)
15:13:55 <sgallagh> mcatanzaro: To be clear, this is *not* exactly the F21 behavior. It's the F22 Alpha behavior with an override
15:14:25 <mcatanzaro> sgallagh: OK, thanks. The override being the most important part, though.
15:14:31 <sgallagh> /me nods
15:14:48 <stickster> #agreed The restored override takes care of F22 situation from Workstation WG POV
15:14:53 <Corey84> the override being the (double click okay) correct?
15:14:58 <stickster> Corey84: correct.
15:15:53 <Corey84> as long as there is a clear meaningful are oyu sure  dialog  overrides are fine imo
15:15:58 <otaylor> I'm OK with that approach too - If we change anything for f23, from my perspective, it would be to have an option for workstation to remove the user creation nag
15:16:04 <stickster> #topic F23 pwquality changes
15:16:13 <mcatanzaro> stickster: For F23, to get everything operating under the same pwquality policy, either anaconda needs to (lose the double-click OK and enforce minquality 1 instead of 50 and stop enforcing minlength itself) and gnome-initial-setup needs to start enforcing pwquality 1, OR we must drop pwquality from the PAM stack so that it's not enforced anywhere.
15:16:39 <mcatanzaro> Along with dropping it from the PAM stack, we'd need a couple changes in gnome-control-center.
15:17:06 <Corey84> when did the pwquality 50  get so bloody high ?
15:17:12 <mcatanzaro> FWIW: I think strict enforcement is only reasonable if pwquality starts accepting much weaker passwords than it currently does.
15:17:21 <Corey84> been working on 22 mostly as of late
15:17:29 <stickster> Corey84: This meeting isn't to go back over history, we want to concentrate on what to do for F23.
15:17:50 <stickster> mcatanzaro: That's the point of minquality 1 IIRC
15:18:04 <mclasen_> mcantanzaro: there's also a complication in the control-center where we're not free to ignore the pwquality checks for password changes
15:18:11 <mclasen_> since we're calling out to /usr/bin/passwd for it
15:19:00 <stickster> I'm not really keen on dropping pwquality from the PAM stack. I think it would make more sense for the first solution mcatanzaro mentioned.
15:19:30 <mcatanzaro> stickster: I think pwquality needs to give a nonzero score to much weaker passwords, IMO. This will definitely require pwquality.conf adjustments at the very least.
15:20:50 <kalev> might be something that can be done as a workstation specific config file, similar to what we have for firewalld
15:21:09 <stickster> (a) dropping the double-click shouldn't be a big deal AFAICT; (b) We'd need tmraz to advise on pwquality.conf changes which we could include in our specific config
15:21:11 <Corey84> seems sane
15:21:44 <stickster> currently the stock pwquality.conf ships in libpwquality, but it's marked %config so AIUI we could override it sanely and without stepping on anyone's toes
15:22:01 * stickster shuts up and asks for smarter heads to weigh in here
15:22:07 <mcatanzaro> https://lists.fedoraproject.org/pipermail/devel/2015-March/208845.html <-- my argument that local password strength doesn't really affect security
15:22:51 <rdieter> let's first try to get the standard/default setup acceptable, only resort to workstation-specific config as a last resort
15:23:01 <rdieter> (or are we to a last resort already?)
15:23:58 <stickster> rdieter: I think the issue with an across-the-board default is that Workstation doesn't allow SSH by default, making it different than e.g. Server
15:24:13 <sgallagh> /me notes that nirik has been attempting to start a distro-wide policy discussion
15:24:18 <mclasen_> mcatanzaro: for the 'enable ssh' case we could conceivably do something
15:24:28 <kalev> I think is is something that should be different between server and workstation. A server that by default enables remote logins, should probably get much stricter password checking than a local workstation.
15:24:34 <stickster> sgallagh: Cool, do you have a link I could grab?
15:24:41 <stickster> kalev: right.
15:24:44 <sgallagh> https://fedoraproject.org/wiki/User:Kevin/Draft_Passwordpolicy
15:24:48 <mclasen_> in the sharing panel, when you enable it, remind the user that he needs to have a good password
15:24:55 <stickster> #link https://fedoraproject.org/wiki/User:Kevin/Draft_Passwordpolicy
15:24:59 <mclasen_> or something like that
15:25:11 <mcatanzaro> I would love to see gnome-control-center take you straight to a "set a stronger password" screen when enabling SSH, rather than just a little reminder he will ignore.
15:26:02 <rdieter> stickster: personally, I'd prefer if server wants a more strict setup, let them make things different than the default, rather than the other way around
15:26:10 <mcatanzaro> mclasen_: If pwquality were to reject only very weak passwords, would you be OK with enforcing that in gnome-initial-setup? Otherwise the only solution is to remove pwquality from the PAM stack.
15:26:38 <mcatanzaro> (As I believe we all want a consistent policy between all apps.)
15:26:51 <mclasen_> in gnome-initial-setup, we _can_ ignore pwquality
15:27:09 <mclasen_> since we're not shelling out to /usr/bin/passwd
15:27:23 <kalev> also, again, it might make sense to have pwquality in the PAM stack for server, but not for a local workstation -- again something where we might want to differ in the configuration
15:27:29 <mclasen_> if we should ignore it is another question
15:27:52 <stickster> mclasen_: I think what mcatanzaro is saying is, if we want uniform policy then it would be best not to ignore it.
15:28:11 <mclasen_> well, we're just putting the override back into anaconda to allow ignoring it ?
15:28:16 <mcatanzaro> mclasen_: Yes, that's the status quo, which I do not like because it's inconsistent with gnome-control-center. So really basic principle: either gnome-initial-setup needs to change, or gnome-control-center needs to change. And the only way to change gnome-control-center is to remove the PAM check.
15:28:51 <stickster> mclasen_: That's for this release because we don't have any agreed-on uniform policy. We're talking about fixing that, and then getting all the apps to follow it.
15:29:38 <stickster> So changing g-i-s seems like the right answer to me
15:30:08 <mclasen_> we could change the control-center to always call out to the accountsservice for password changes to get out of the passwd shackles
15:30:11 <striker> Not sure if this can help or not, but I normally make my passwords using this: https://strikerttd.fedorapeople.org/randompass
15:30:17 <mclasen_> it is the way it is now because of 'audit trail'
15:31:21 <mclasen_> which, to be frank, is mostly baloney
15:32:13 <stickster> mclasen_: Would moving g-c-c to use accountsservice bring it into alignment with the overall pwquality policy?
15:32:18 <mcatanzaro> Ideally accountsservice would go through PAM too...? We should fix PAM rather than go around it IMO.
15:32:33 <mclasen_> pam is not fixable, really
15:32:54 <mcatanzaro> stickster: No, that would avoid checking the policy completely. Like g-i-s already does. Note that we're only talking about enforcement; we'll still use it to show strength regardless.
15:33:10 <kalev> mclasen_: even if we could tune the default pam configuration to suit workstation needs?
15:33:47 <mclasen_> we can tune the configuration, but that doesn't fix the api and the limitations it imposes
15:33:51 <kalev> ok
15:34:09 <mclasen_> we have horrible constructions in gdm to work around brokenness of pam
15:34:11 <mcatanzaro> We can "fix" PAM with regard to password strength checks (not with regard to ancient design decisions) by just not performing the check... there is no reason passwd should enforce password strength if control-center does not....
15:34:20 <mclasen_> juggling multiple pam stacks
15:35:20 <mclasen_> right
15:35:43 <mclasen_> so, things you want to be consistent include passwd as well
15:36:10 <mclasen_> realistically, the only way to get that for all the tools is to make the pam configuration do what we want
15:36:20 <mclasen_> not work around it in all the places
15:37:11 <kalev> and i think it's doable, since whereas previously the whole of fedora was constrained to a single configuration, we can now have different configurations between different products
15:37:46 <mcatanzaro> Yes, and the two options are (a) accept weaker passwords, or (b) remove pwquality-pam so there are no more checks. I'm inclined towards (a) but no strong preference. I have to leave the meeting early this week, bye for now!
15:37:52 <stickster> Right, it doesn't mean we have to do something weird like disable pwquality in PAM
15:38:00 <stickster> Thank you for input mcatanzaro !
15:39:10 <stickster> So would people agree that we should consult tmraz to find pwquality.conf settings that achieve what we want, lobby for those settings as the uniform policy, and if that doesn't succeed, we'd like to use those settings as Workstation specific?
15:39:30 <mclasen_> I concur with mcatanzaro. those are the options, and option a) is probably better
15:39:30 <rdieter> agreed
15:39:40 <kalev> sounds like a plan
15:39:45 <mclasen_> also in terms of being acceptable to the security guys
15:40:12 <stickster> *nod
15:40:18 <stickster> Anyone -1 ?
15:41:42 <stickster> The scoring in pwquality.conf is not as transparent as it looks at first blush. kalev, would you be willing to talk to tmraz (unless you have Plenty of Clue[tm] already) ;-) to see how we could get appropriate settings?
15:42:24 * stickster not sure what we all think is right here, but definitely we don't want the byzantine requirements that come along with score >= 50
15:42:55 <kalev> stickster: sure, I can try
15:43:13 <stickster> kalev: Thank you
15:43:58 <stickster> #action kalev work with tmraz to figure out appropriate pwquality.conf settings, may need some input from group on desired strength
15:44:08 <stickster> #topic Maps
15:44:24 <stickster> OK, this topic might be pretty short and sweet, I'm not sure. The last one wasn't as much :-)
15:45:15 <stickster> As Bastien and others noted... the reason Maps wasn't around in previous default was because of buggy behavior that's now fixed. So is there any reason not to have it in the default now?
15:45:31 <kalev> No, that's not true
15:45:42 <kalev> we explicitly removed gnome-maps last cycle
15:46:01 <mclasen_> I'm torn on this - if we include all the good apps on the image, we don't give people a chance to use our awesome software installer
15:46:05 <stickster> kalev: But my recollection is that was because it wasn't working very well and thus not a good thing to put in front of users.
15:46:12 <mclasen_> and we clutter the overview
15:46:26 <kalev> yes, that's exactly how I feel too :)
15:46:45 <kalev> we've always said that the reason we had to install so many apps by default was because we don't have a good app installer
15:47:07 <mclasen_> this is a bit tangled up with the goa thing
15:47:31 <stickster> mclasen_: In that we don't have bits to create accounts on something like OpenStreetMap?
15:47:37 <mclasen_> I think we should look at finding a better approach for that (regardless whether we include maps now or now)
15:48:10 <mclasen_> stickster: there's no editing capability in gnome-maps now, so I don't think you could use such an account for anything ?
15:48:26 <stickster> mclasen_: OK, I obviously don't understand your GOA point then
15:48:54 <stickster> can you illuminate me? :-)
15:48:56 <mclasen_> rishi asked for maps to be included so 'the goa foursquare provider can be enabled''
15:49:05 <stickster> ah
15:49:16 <mclasen_> goa wants to not advertise accounts that have no consumers
15:49:31 <mclasen_> so maps is needed purely because it can consume foursquare accounts
15:49:38 <stickster> Hm
15:50:35 <kalev> maybe a system where apps can say what accounts they know how to consume
15:50:37 <stickster> I guess that brings up an interesting point about capabilities and why not to call out to the software installer for such consumers
15:50:47 <stickster> similar to totem codecs
15:50:49 <mclasen_> I've suggested that
15:50:49 <kalev> and then goa displays the accounts only if there's a known consumer installed?
15:51:01 <stickster> (although that doesn't work that great either, AFAICT)
15:51:15 <mclasen_> there's a slippery slope though - we don't want goa to become a collection of app-specific accounts
15:51:19 <stickster> *nod
15:51:29 <mclasen_> if each provider has only one consumer, there's not much use in having it centralized
15:51:53 <mclasen_> which is why we've been shy about letting apps influence goa like that
15:51:59 <mclasen_> but I think we should revisit that
15:52:27 <drago01> "display only when one consumer is installed" makes sense to me
15:53:47 <stickster> So right now, the situation is that Maps appears in the default install, correct?
15:54:14 * stickster doesn't have a working TC in front of him to check at the moment.
15:54:41 <kalev> yes, hadess added it to the default install
15:56:22 <stickster> So do we want to change that, or not?
15:58:38 <stickster> From my POV, we have plenty of apps out there for the software installer to grab... a better working app... and rishi asking to enable 4sq, without much reason not to (other than that we'd like apps<->GOA interaction to improve upstream)
15:59:05 <stickster> So I'm -1 to change the current situation. Leave maps in. Others?
15:59:19 <otaylor> agree
15:59:51 <stickster> mclasen_: kalev: rdieter: cschalle_: ?
16:00:00 <rdieter> agreed (not strong feeling either way)
16:00:07 <cschalle_> agreed
16:00:10 * stickster supposes voting is kind of overrated here, if we just leave it alone it stays :-)
16:00:12 <mclasen_> ok with me
16:00:17 <kalev> I am fine either way
16:00:24 <stickster> OK, that sounds like agreed to me.
16:00:28 <stickster> #agreed leave Maps in for now
16:00:35 <mclasen_> I'll discuss possible goa changes with rishi
16:01:07 <stickster> OK -- some of us have to vamoose for another meeting, so I'm going to close down here... Thank you all for coming, and please note the new time for next meeting -- Monday April 13, 9:00am US-EDT / 1300 UTC
16:01:26 <stickster> #info Next meeting at new timeslot -- Monday April 13, 9:00am US-EDT / 1300 UTC
16:01:30 <stickster> #endmeeting