[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Salsa as authentication provider for Debian

Hi,


On 4/8/20 2:30 PM, Bastian Blank wrote:
n Wed, Apr 08, 2020 at 07:50:22PM +0800, Shengjing Zhu wrote:
>> 1. Can you still keep the "-guest" enforcement, so it's still easy to
>> recognize who is DD or not on salsa?
> 
> No.  The guest suffix was meant to avoid collisions with Debian
> accounts.  And the tool used to enforce it is unmaintained.
> 
> Also the only place that can for sure answer if someone is DD is
> nm.debian.org, not Salsa.

actually I see that as a big security risk. I the easiest case you'll
has a username that looks similar to one of a DD and that (malicious)
user is added to a project as the project admin thinks that use is a DD
and assumes that a DD can be trusted.

Having an easy way to identify DDs and non-DDs is a must imho.
Beeing able to keep your account and while getting rid of the -guest
when you become a DD would be an extra bonus.



Bernd


-- 
 Bernd Zeimetz                            Debian GNU/Linux Developer
 http://bzed.de                                http://www.debian.org
 GPG Fingerprint: ECA1 E3F2 8E11 2432 D485  DD95 EB36 171A 6FF9 435F
Reply to: