Re: Salsa as authentication provider for Debian

To: Michael Lustfield <michael@lustfield.net>
Cc: debian-project@lists.debian.org
Subject: Re: Salsa as authentication provider for Debian
From: Enrico Zini <enrico@enricozini.org>
Date: Tue, 7 Apr 2020 16:57:20 +0200
Message-id: <[🔎] 20200407145720.yv55ni6bblnd2oj3@enricozini.org>
In-reply-to: <[🔎] 20200407091411.17439261@tea>
References: <[🔎] 20200405184610.GA581270@waldi.eu.org> <[🔎] d58246e1-6d57-5e65-97eb-609dc0f5b3d8@debian.org> <[🔎] 20200407115006.uak4yzlmkt2u3lqx@enricozini.org> <[🔎] 20200407091411.17439261@tea>

On Tue, Apr 07, 2020 at 09:14:11AM -0500, Michael Lustfield wrote:

> I can very much appreciate a desire to get a replacement rolled out as quickly
> as possible. The more I learn about the current situation [1], the more alarming
> it is. However, please don't consider the work Lucas and I are doing as
> stalling. I was unaware that the whole effort stalled. I'm currently between
> contracts and have plenty of free time to make something happen.
> 
> I also like to think of a myself as a good masochist. You can expect me to
> stick around for the long term. :)

That's great, and I also don't want the Salsa improvement we proposed to
be a blocker for further developments.

As far as I'm concerned, we could get started with migrating services to
OIDC consumers[1], unblocking new non-DD access to services, and
cleaning up the status quo a bit.

Sooner or later, your and Luca's work (or somebody else's, or all of
them) can get validated, and can pick it the situation from where we
left it and keep improving.

[1] or even simply libapache2-mod-auth-openidc, since the current cert
    system is handled by apache anyway

> Aside from the security concern I raised earlier, it's largely a "gut feeling"
> that comes from seeing how quickly legacy quirks develop in any new deployment.
> If Salsa needs to make any assumption or enforcements that Alioth did not,
> those will need to be accounted for in the new solution. Additionally, we
> already have a clean path 

I don't understand what you mean with "any assumption of enforcements".

> Something that comes to mind is what it would take to migrate accounts from
> Salsa to somewhere else. Does gitlab provide user exports? As unfortunate as it
> is that alioth's DB is now a flat-file managed by hand, it provides a very
> simple and easy way to import all of that data.

Gitlab does indeed provide user exports: some more details are in the
"Exit strategy" part of the proposal Waldi posted.

Enrico

-- 
GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Salsa as authentication provider for Debian
  - From: Bastian Blank <waldi@debian.org>
- Re: Salsa as authentication provider for Debian
  - From: Xavier <yadd@debian.org>
- Re: Salsa as authentication provider for Debian
  - From: Enrico Zini <enrico@enricozini.org>
- Re: Salsa as authentication provider for Debian
  - From: Michael Lustfield <michael@lustfield.net>

Prev by Date: Re: Salsa as authentication provider for Debian
Next by Date: Re: Salsa as authentication provider for Debian
Previous by thread: Re: Salsa as authentication provider for Debian
Next by thread: Re: Salsa as authentication provider for Debian
Index(es):
- Date
- Thread