On Mon, Sep 24, 2012 at 2:47 PM, Ken Dreyer <ktdre...@ktdreyer.com> wrote:
> On Mon, Sep 24, 2012 at 3:37 AM, Marius Mårnes Mathiesen > <marius.mathie...@gmail.com> wrote: > > Although I wasn't around at the time, I would think it either had to do > with > > a higher probabilty for uniqueness with a three char username or the > risk of > > brute force attacks on shorter usernames? > > Thank you. Do you think this is still valid? In other words, would you > take a patch that drops the username limit from 3 to 2? To address any > brute-force concerns, maybe the password minimum character limit > should be increased. > I agree, I'm quite sure such a patch would be accepted :-) > On Mon, Sep 24, 2012 at 5:30 AM, Peter Kjellerstedt > <peter.kjellerst...@axis.com> wrote: > > You might want to consider making this configurable, given that you > cannot > > influence what user names are already in use > > Gitorious has so many configuration options already, so perhaps we > should just change the limit from 3 to 2 and reduce the number of code > paths to test? > Agreed. On Mon, Sep 24, 2012 at 5:41 AM, Marius Mårnes Mathiesen > <marius.mathie...@gmail.com> wrote: > > Side note: we're going to have to make some changes to how usernames are > > validated when using an external authentication provider (like LDAP) > anyway. > > We currently substitute any dots in usernames with a dash, but the > problem > > here is that this is a lossy process. We have seen LDAP directories which > > use both dashes and dots. One thing to do could be to be more liberal > when > > using external authentication systems; do any of you have any thoughts on > > this - eg. what kind of real-world use cases we will need in this regard? > > Good question. I support Gitorious for a multi-realm Active Directory > environment. Currently Gitorious' Kerberos+LDAP authentication is only > enabled for one of the domains, but down the road I want to open it up > to support users from multiple domains. This will entail supporting > Gitorious usernames with "@" signs. I've been meaning to look into > what exactly is blocking "@" signs in Gitorious - I wasn't sure if the > restriction is related to Rails or not. > Thanks for the input. The only restriction I still remember the motivation for wrt usernames is the dot: Rails treats dots anywhere in a URL specially, I think because of the convention of using it to specify a format. If you'd care experimenting with allowing and using @'s in usernames I'd love to hear how this works for you. Cheers, - Marius -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com