On Mon, Apr 06, 2020 at 02:34:03PM -0500, Michael Lustfield wrote: > I was previously involved with a company that audited various git-hosting > services. I'm stuck behind a very strict (saw it brutally enforced) NDA, so > please forgive the lack of specifics. Gitlab is a tool that gets many things > right, and many things wrong. Access control is an area where I have seen some > critical bugs. Some of those bugs lead me to not trust it as a non-internal > authentication source. I normally assume anything with a huge codebase to be full of holes, so I'd say you haven't told me anything surprising. The current sso.debian.org codebase has been written by one person (me), deployed by one person (me), audited by nobody, and as far as I'm aware, nobody besides me has ever read the code. I think that's a scarier picture than Gitlab: at least Gitlab is somehow widely deployed, has regular updates, and has people maintaining it in production and sending patches, which gives it a limited amount of scrutiny. I still claim introducing gitlab as OIDC provider is not going to make matters /worse/, and, I repeat, that's the only claim I've been trying to get validated here. If you are concerned that Debian critical operations could be depending on a single signon platform which does not have the track record of security that we would like, then we're already dealing with that: the whole world controlled by sso.debian.org is designed under the assumption of not being secure enough. You can't get sso.debian.org access with your Debian master password: you need a web password instead, which does not give you access to the rest of db.debian.org. With a sso certificate, for example, you can't change your status in Debian, you can't advocate a person, you can't AM approve, you can't DAM approve, you can't upload packages, you can't vote, you can't read debian-private, you can't gain shell access to debian.org machines: we require a GPG signature from a key in the Debian keyring for all those operations. That is not going to change. If you or someone else eventually will manage to introduce a Single Sign On system that would take us to a next step of being able to advocate developers, take packaging actions, update the ssh key you use to access debian.org machines, all via a web interface, I really look forward to that! That's not what we're trying to do here. We're not there now, and it's not going to change with introducing Salsa as an OIDC provider. Enrico -- GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>
Attachment:
signature.asc
Description: PGP signature