Re: Salsa as authentication provider for Debian
On Wed, Apr 08, 2020 at 05:28:37PM +0200, Enrico Zini wrote:
> On Wed, Apr 08, 2020 at 03:00:31PM +0000, Luca Filipozzi wrote:
>
> > > Question: is there something in the proposed Salsa plan that somehow
> > > blocks experimenting with, introducing, or migrating to Keycloak in the
> > > future?
> >
> > The further we go down one path, the harder, in my opinion, to change
> > later.
>
> I think we're not really going "down one path": we're trying to dig
> ourselves "out of one pit".
>
> I'll have to repeat the question: is there something specific in the
> proposed Salsa plan, that somehow blocks experimenting with,
> introducing, or migrating to Keycloak or some other solution in the
> future?
I think introduction of the broker is the compelling use case. I
appreciate that you may not view that as sufficient compelling.
Additionally, I'd prefer keeping SPs separate from IdPs, have them speak
to each other using standard protocols, etc. I don't view making Gitlab
an IdP as appropriate.
> From what I can see so far, we're starting a migration to OIDC, removing
> one of 3 user databases, adopting more standards, and doing some general
> cleanup along the way, which makes me think Salsa could be considered an
> iterative step towards a migration to anything else.
Very good outcomes, to be sure.
> If you're instead generally expressing a fear that once we migrate to
> Salsa, we'll be in a local optimum that is going to be considered good
> enough to be worth bothering migrating to anything else, then I would
> argue that the problem wouldn't be having moved to Salsa as an OIDC
> provider, and rather that the next step that is proposed wouldn't be
> bringing enough compelling advantages to the problem at hand.
Indeed, a local optimum is worrisome.
--
Luca Filipozzi
Reply to: