Re: [PATCH] offers users MD5, SHA-256, or SHA-512

[Jeremy Katz <katzj redhat com>]

On Tue, 2008-02-19 at 16:01 -1000, David Cantrell wrote:
> On Tue, 19 Feb 2008 16:59:41 -0600 (CST)
> Jeff Bastian <jbastian redhat com> wrote:
> 
> > On Tue, 19 Feb 2008, David Cantrell wrote:
> > > People ask for this stuff, I work on it, and then it's shot down by someone.  I'll remove the UI components.
> > 
> > 
> > I think you should keep it.  I agree with your argument that it exposes 
> > some of the security options available in Fedora that most people might 
> > never even know exists.  I know I've learned a lot about things by seeing 
> > an option in a GUI or a config file option and then reading about it to 
> > understand what it does.  I've often gone with something other than the 
> > default, too.
> 
> Presenting the option to the user during installation will cause confusion.  I 
> played around with adding descriptions such as:
> 	Probably secure (MD5)
> 	Better security (SHA-256)
> 	Best security we can do (SHA-512)
> But that doesn't help if we add other algorithms. 

If I'm just an end-user, I'm *always* going to want "best security we
can do".  There's no way for me to know about all of the trade-offs
involved (compatibility, speed?, ...) and then make an educated choice.
So even the above doesn't really help from a confusion point of view.

> I want to leave the functionality for kickstart.  That's requested by
> RHEL customers, so we should keep that.  And Seth mentioned that
> covers the choice aspect.  

Yep, kickstart seems emminently reasonable for exposing this.

Jeremy