Re: Salsa as authentication provider for Debian

To: Enrico Zini <enrico@enricozini.org>
Cc: Xavier <yadd@debian.org>, debian-project@lists.debian.org
Subject: Re: Salsa as authentication provider for Debian
From: Michael Lustfield <michael@lustfield.net>
Date: Tue, 7 Apr 2020 09:14:11 -0500
Message-id: <[🔎] 20200407091411.17439261@tea>
In-reply-to: <[🔎] 20200407115006.uak4yzlmkt2u3lqx@enricozini.org>
References: <[🔎] 20200405184610.GA581270@waldi.eu.org> <[🔎] d58246e1-6d57-5e65-97eb-609dc0f5b3d8@debian.org> <[🔎] 20200407115006.uak4yzlmkt2u3lqx@enricozini.org>

On Tue, 7 Apr 2020 13:50:06 +0200
Enrico Zini <enrico@enricozini.org> wrote:

> On Tue, Apr 07, 2020 at 12:20:40PM +0200, Xavier wrote:
> 
> I would like to avoid stalling progress on sso on things like analysis
> paralysis, or like sorting out deployment details, as happened in the
> last years.

I can very much appreciate a desire to get a replacement rolled out as quickly
as possible. The more I learn about the current situation [1], the more alarming
it is. However, please don't consider the work Lucas and I are doing as
stalling. I was unaware that the whole effort stalled. I'm currently between
contracts and have plenty of free time to make something happen.

I also like to think of a myself as a good masochist. You can expect me to
stick around for the long term. :)

[1] oh my...
    https://wiki.debian.org/DebianSingleSignOn#If_you_ARE_NOT_.28yet.29_a_Debian_Developer

> I'll ask you the same question I asked Luca: is there something in the
> Salsa proposal that would prevent further experimentation with LLNG and
> eventually possibly integrating it into the ecosystem, or migrating to
> it?

Aside from the security concern I raised earlier, it's largely a "gut feeling"
that comes from seeing how quickly legacy quirks develop in any new deployment.
If Salsa needs to make any assumption or enforcements that Alioth did not,
those will need to be accounted for in the new solution. Additionally, we
already have a clean path 

Something that comes to mind is what it would take to migrate accounts from
Salsa to somewhere else. Does gitlab provide user exports? As unfortunate as it
is that alioth's DB is now a flat-file managed by hand, it provides a very
simple and easy way to import all of that data.

> [...]
> As a side effect of an interim on Salsa, services can begin to migrate
> from client certificates to OIDC, switching to a mode widely used,
> usable, and flexible standard, which I wouldn't be surprised if it would
> make things easier when moving to something else later on.

If there aren't any practical issues with migrating away from salsa in the
future, then I wouldn't have any objection, but the voice in the back of my
head is screaming pretty loudly right now.

-- 
Michael Lustfield

Reply to:

Follow-Ups:
- Re: Salsa as authentication provider for Debian
  - From: Enrico Zini <enrico@enricozini.org>

References:
- Salsa as authentication provider for Debian
  - From: Bastian Blank <waldi@debian.org>
- Re: Salsa as authentication provider for Debian
  - From: Xavier <yadd@debian.org>
- Re: Salsa as authentication provider for Debian
  - From: Enrico Zini <enrico@enricozini.org>

Prev by Date: Re: Salsa as authentication provider for Debian
Next by Date: Re: Salsa as authentication provider for Debian
Previous by thread: Re: Salsa as authentication provider for Debian
Next by thread: Re: Salsa as authentication provider for Debian
Index(es):
- Date
- Thread