Re: Salsa as authentication provider for Debian
]] Sam Hartman
> >>>>> "Tollef" == Tollef Fog Heen <tfheen@err.no> writes:
>
> Tollef> ]] Enrico Zini
> >> For guest accounts opened by DSA directly, it can be pretty much
>
> First, at this point in time I would be very skepticle of someone
> contributing to Debian enough to need porter box access but not having a
> salsa account.
> It's possible, but that would be a yellow flag for me in evaluating
> such a request.
We quite regularly have upstreams getting access for weird architecture
failures. There's no particular reason for those people to have salsa
accounts.
> However, as I read the guest account process, it has a number of manual
> steps where people are processing tickets.
> I suspect that DSA actually has a script or set of scripts that go
> create the guest account.
That varies. It's LDAP, people sometimes use the ud-* suite of tools,
sometimes ldapvi. Is salsa also going to check for debian.org accounts
when creating and renaming accounts on its side?
> Having these scripts check to see if the name is registered at salsa and
> requiring manual override to create an account if it conflicts with
> salsa and appears to belong to a different user is not, in my mind,
> making DSA's ldap subservient to the salsa LDAP.
(Salsa doesn't use LDAP, afaik)
It does to me, since suddenly we have to care about what's on salsa,
something we've never had to care about before. It also breaks the
invariant people have been able to trust so far, that foo@salsa.d.o is
also foo@d.o (assuming both exist). This will no longer hold true, and
I think we'll run into security problems down the line because of it.
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
Reply to: