On Wed, 2009-11-18 at 02:24 -0500, Caleb Cushing wrote:
Oh no. It has been 1 day and my "bug" is not fixed! I must blog about it so the world listens to me...
also no one has presented a /good/ reason for not fixing it, only reasons they don't think it should be fixed. you could do abc or d things that I can think of... but no one has said why security shouldn't be tighter for kde. what's the negative impact? why aren't failed logins being logged right now? why can users login if they have an account but no valid shell? seriously? what's the reason that this should not be fixed? that there MAY be acceptable alternatives? I dont' find the GUI option acceptable, because it's too kde specific, and (probably) doesn't affect a thing if I change login managers. only one of the options you suggest actually do what I need to do... but for some reason it didn't take immediate effect when I tried it. <snip>
Minimal modification of packages. Allow users to choose for themselves instead of doing work for them. I fail to see the security implications here for the common user, why would someone want to lock out a user without deleting the account except a system admin, who presumably would know what to do and would not need a 'simple one-step process'. I'd wager most Arch users simply have 1 account they use all the time, and perhaps a guest account for others to use. This isn't a security hole, and it isn't the responsibility of Arch devs to make decisions for the users except in extreme cases.