Re: Salsa as authentication provider for Debian

To: debian-project@lists.debian.org
Subject: Re: Salsa as authentication provider for Debian
From: Tollef Fog Heen <tfheen@err.no>
Date: Mon, 13 Apr 2020 18:39:42 +0200
Message-id: <[🔎] 87h7xns5kh.fsf@err.no>
Mail-followup-to: debian-project@lists.debian.org
In-reply-to: <[🔎] 20200412163636.d7jz3wy27k5fcwb3@enricozini.org> (Enrico Zini's message of "Sun, 12 Apr 2020 18:36:36 +0200")
References: <[🔎] 20200405184610.GA581270@waldi.eu.org> <[🔎] tslsghe9sym.fsf@suchdamage.org> <[🔎] 87k12prew7.fsf@err.no> <[🔎] 20200409072447.ci2xnvtnwv5as3vq@enricozini.org> <[🔎] 874ktsr1qq.fsf@err.no> <[🔎] tslk12o73uu.fsf@suchdamage.org> <[🔎] 87mu7hst2c.fsf@err.no> <[🔎] 20200412163636.d7jz3wy27k5fcwb3@enricozini.org>

]] Enrico Zini 

> On Sat, Apr 11, 2020 at 09:47:39PM +0200, Tollef Fog Heen wrote:
> 
> > We quite regularly have upstreams getting access for weird architecture
> > failures.  There's no particular reason for those people to have salsa
> > accounts.
> 
> I understand those are temporary accounts. Do those cases need an
> arbitrary name from the LDAP namespace?
> 
> Several places I worked with use a pool of time-limited accounts from a
> guestNNN namespace, for example: that could address your use case
> without overlapping with anything else.

We have guest accounts that have been in use longer than the lifecycle
of some DD accounts, so while it would technically work, it wouldn't be
a particularly nice solution.  (You can of course say that requiring
non-DDs registering on salsa to have a -guest suffix isn't nice either,
something I can agree with.)

> > It does to me, since suddenly we have to care about what's on salsa,
> > something we've never had to care about before.
> 
> As I said in [🔎] 20200409181701.3qqsn5sqq3xbu2ia@enricozini.org, no, you
> don't need to care about anything: you keep doing what you want, and we
> deal with it.

I think we in practice will want to do that in order to avoid triggering
bugs in software that assumes that user names are consistent.

> So far, I only received requests to keep the status quo as it is
> indefinitely, and very little in terms of counterprosals actionable now,
> besides theoretical new software solutions to be explored, that would
> address the problems I am having.

In case that was directed at me, rather than the wider world: I'm not
requesting you do one thing or another, I'm pointing out some possible
ramifications.

It's not clear to me why removing the -guest restriction has to happen
for sso.d.o to be using Salsa as an IdP, which seems to be your primary
goal?  That's my most immediate concern.  Switching to oauth2/OIDC seems
like a good idea, and assuming we can move to another broker somewhere
down the line, I have no problems with that happening.

-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Reply to:

Follow-Ups:
- Re: Salsa as authentication provider for Debian
  - From: Pirate Praveen <praveen@onenetbeyond.org>

References:
- Salsa as authentication provider for Debian
  - From: Bastian Blank <waldi@debian.org>
- Re: Salsa as authentication provider for Debian
  - From: Sam Hartman <hartmans@debian.org>
- Re: Salsa as authentication provider for Debian
  - From: Tollef Fog Heen <tfheen@err.no>
- Re: Salsa as authentication provider for Debian
  - From: Enrico Zini <enrico@enricozini.org>
- Re: Salsa as authentication provider for Debian
  - From: Tollef Fog Heen <tfheen@err.no>
- Re: Salsa as authentication provider for Debian
  - From: Sam Hartman <hartmans@debian.org>
- Re: Salsa as authentication provider for Debian
  - From: Tollef Fog Heen <tfheen@err.no>
- Re: Salsa as authentication provider for Debian
  - From: Enrico Zini <enrico@enricozini.org>

Prev by Date: Re: Draft Delegation for the Community Team
Next by Date: Re: Salsa as authentication provider for Debian
Previous by thread: Re: Salsa as authentication provider for Debian
Next by thread: Re: Salsa as authentication provider for Debian
Index(es):
- Date
- Thread