On Wed, Dec 27, 2017 at 05:42:04PM +0200, Mart Raudsepp wrote:
> On K, 2017-12-27 at 09:57 -0500, Michael Orlitzky wrote:
> > > 2) What you plan to do to have USE=cracklib enabled by default. Two
> > > people suggested you should keep this (one way or another) but
> > instead
> > > everyone is now without it enabled by default.
> > 
> > I plan to do nothing, because I think it should be disabled by
> > default
> > like all other USE flags. I've CC'ed all of the maintainers who might
> > want to add the default to IUSE, and apparently none of them do. The
> > hardened project and base-system are also CCed/assigned in case one
> > of
> > them wanted to adopt the default.
> > 
> > The base profile is the wrong place to enable USE=cracklib, but there
> > are better places. If none of the people in charge of those places
> > want
> > to enable the flag, then maybe it should remain disabled.
> 
> If USE=cracklib is ever removed from base/make.defaults, then this IUSE
> default enabling should be done before it is removed for many of the
> places where it helps password safety, not afterwards when some
> maintainers happen to see you've done it some months later, after we

I would say that it is up to you to show where it was approved for
adding to base/make.defaults by showing where it was discussed on this
list, or showing where it was added in the profile revision history.

A bug and that has been open as long as he said it was earlier in this
thread,  as well as notification here with a 72 hour delay as well as
contacting the maintainers directly as far in advance as he did seems
reasonable to me.

I will look at this more when I get back to my home system, but on the
face of it, I would support his change.

> 
> If you need more opposing, then consider this one, as long as this
> preparation work isn't done. Just removing it because maintainers
> didn't get to it in your timeline isn't something I would see OK. If
> you want to make such a base profile change, then I believe you should
> contact the maintainers and see which one wants it default disabled,
> and which default enabled; do the default enabled changes and only
> afterwards you can touch a base default USE flag, otherwise you are
> making a change to all these maintainers packages without their
> consent. It IS an effective change to their package, and you are
> effectively doing non-maintainer changes to them.

As he said, he contactedd the maintainers in ample time, so I would say
that since they didn't respond he went ahead in good faith. I'll get the
link later, but as I recall, the dev manual recommends a 2-4 week wait
for maintainers not responding then we can assume that what we are doing
is ok.

I will look into this more when I get back to my home system, but as a
member of base-system, tentavely count me as supporting his change.

To respond to the comment about preparation work: 
Again, I haven't checked the bug, but if it has been there a while and
received no input from base-system etc, there may not be any, so
removing it from base/make.defaults would be the way to go.

William