Re: Salsa as authentication provider for Debian
On Sb, 11 apr 20, 19:27:53, Julien Cristau wrote: > On Sat, Apr 11, 2020 at 10:04:55AM +0300, Andrei POPESCU wrote: > > > > I must be missing something so I'm asking: what is the *benefit* of > > avoiding collisions with Debian accounts? > > > f...@salsa.debian.org and f...@debian.org both existing and referring to > different people risks causing confusion. I'd like to understand why > we're going that way. If I understand correctly, then, using the -guest suffix would allow for foo-gu...@salsa.debian.org and f...@debian.org both existing and referring to different people. In my opinion this still doesn't significantly reduce the risk of confusion while also being quite unfriendly should the foo-guest user ever wish to become a Debian Member. Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser signature.asc Description: PGP signature
Re: Testing Discourse for Debian
If we were having this discussion on Discourse I would give this idea a +1. :) Well... technically a <3 but... On Fri, Apr 10, 2020 at 3:02 PM Neil McGovern wrote: > Hi folks, > > For a little while, I've been keen to see how we can improve our > communication methods, both to make it more accessible to newcomers and to > take advantage of more featureful tooling than has been traditionally > possible with email lists. > > As such, I set up an instance of Discourse[0] at > https://discourse.debian.net, and am now asking for a wider input on if > this is something the project wishes to use and if I should spend my > time pursuing. > > FAQ > === > > Is it Free Software? > Yes. It's GPLv2+. > > Who else uses it? > Lots of people. GNOME, Mozilla, Ubuntu, Fedora to name a few > > What about the mailing lists? > This may or may not be a replacement for any particular list. I suspect > there are some thet would benefit greatly from having Discourse be the > primary interaction, and other places where this would be less suitable. > > Be specific! > Ok... I think debian-user, debian-vote and possibly debian-project would > be better off in Discourse. I think debian-devel-announce should stay as > an email list (for now). However, I am not suddenly proposing that we > shut > those lists down. The aim of this exercise is to see if Discourse would > work well for us. > > Email is still important to me! > Fine, you can interact with Discorse by email rather than the web > interface. It should be noted however, that there is not 1:1 feature > partiy with email and the web interface, as Discorse does things that > can't easily be done with email. For the majority of users though, > email interaction should be "good enough". > > Why are you doing this? > I have two motivations. First, is moderation. Discourse has built in > tools > to allow community moderation on a much better scale than our email > lists. > Secondly, I genuinely believe that ease of access to new contributors is > of paramount importance to the project. > > What about X software instead? > Feel free to explore other solutions. I've already done evaluations, and > I'm pretty much set on this as the correct way forward. If there is > insufficient interest in moving forward with Discourse, I'll leave it to > others to invest time. > > What about forums.debian.net? > I have no interest in interacting with a community of users and > moderators who allow blatent Code of Conduct violations to go > unchecked. > > What's next? > I'd appreciate people testing Discourse. If you have any questions, then > I'm happy to answer them. > > Thanks, > Neil > > [0] https://www.discourse.org/ >
Re: Testing Discourse for Debian
Hello, On Sat 11 Apr 2020 at 11:11PM +02, Enrico Zini wrote: > The recent difficult discussion on SSO here on -project made me think of > a use case for which Discourse might be just the thing: Debian > Enhancement Proposals[0]. > > I get the impression that having proposals discussed/peer reviewed on > Discourse might be easier and more pleasant than on lists. For example, > it would give a way to express agreement with something more visible > than silence, it would give a way to get visible feedback other than > negative, and give some measure of perceived relevance to the various > contributions made to the discussion. One concern I'd like to raise posterity. It is not clear to me that discussions on a platform like Discourse can be sufficiently well archived. For any technical topic (including DEPs) it is important that we can find old discussions in the future, easily, and without there being too many entrypoints into the search. Right now I can rely on my notmuch database to pull basically any Debian discussion, because it includes the BTS, lists, and mail which I was CCed on or received through an alias like ftpmaster@. And one can easily incorporate mboxes from master.d.o or bugs.d.o to get any missing context.[1] Perhaps Discourse's e-mail integration would be sufficient for me to be able to search my personal archive for the content of past discussions, but it would be very difficult for others not present for the discussion to incorporate the text of everyone's messages into their information stores. You'd have to use your browser's File->Save Page As or similar, which is difficult to search later. > I'm not sure if I would be motivated right now, or ever, to have another > round of "peer review" like the one I just had, on a list. Discourse > seems like it might be a venue for peer review that wouldn't make me > feel like leaving the project after a couple of days of interaction. Yes. I would like us to be able to handle this communicative function better. Could you say more about how you think Discourse would have changed how the discussion went? I am concerned that the problem is basically a social one, and so cannot be solved just by using a different software stack to host discussions. [1] E.g. `M-x notmuch-slurp-this-debbug` in the elpa-mailscripts package. -- Sean Whitton signature.asc Description: PGP signature
Re: Testing Discourse for Debian
On Fri, Apr 10, 2020 at 07:59:59PM +0100, Neil McGovern wrote: > For a little while, I've been keen to see how we can improve our > communication methods, both to make it more accessible to newcomers and to > take advantage of more featureful tooling than has been traditionally > possible with email lists. > > As such, I set up an instance of Discourse[0] at > https://discourse.debian.net, and am now asking for a wider input on if > this is something the project wishes to use and if I should spend my > time pursuing. The recent difficult discussion on SSO here on -project made me think of a use case for which Discourse might be just the thing: Debian Enhancement Proposals[0]. I get the impression that having proposals discussed/peer reviewed on Discourse might be easier and more pleasant than on lists. For example, it would give a way to express agreement with something more visible than silence, it would give a way to get visible feedback other than negative, and give some measure of perceived relevance to the various contributions made to the discussion. I'm not sure if I would be motivated right now, or ever, to have another round of "peer review" like the one I just had, on a list. Discourse seems like it might be a venue for peer review that wouldn't make me feel like leaving the project after a couple of days of interaction. Enrico [0] https://dep-team.pages.debian.net/deps/dep0/ -- GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini signature.asc Description: PGP signature
Re: Salsa as authentication provider for Debian
> "Michael" == Michael Lustfield writes: Michael> Multiple concerns have been raised and subsequently Michael> shrugged off. It's clear that no concern raised will make Michael> any difference so, yeah... go for it. Actually, Enrico provided a summary describing how the concerns that have been raised have been evaluated; see 20200410183809.nchdmlkk6zdj7...@enricozini.org . That message demonstrates changes that have been made in response to concerns raised. The primary example is better ability to figure out from a salsa user page who is a DD. It also explains the analysis of the other issues that were raised. Significant effort was put into evaluating the concerns raised by Enrico and others. I appreciate your frustration, but your message crossed a line that I would ask you not to cross again. I would urge you to find a way to disagree with decisions and express frustration without undermining the work of others. I hear your desire to design a solution and get a project wide consensus on that solution. Long term, perhaps we'll do that. However, Debian empowers maintainers of groups within our project to move forward; Debian values incremental development; and Debian values letting people actively doing the work have significant latitude in how that work is done. I think the bar for halting people going forward and making things incrementally better is very high, and no, my take as someone who has facilitated a lot of discussions is that none of the concerns raised met that bar. Things might be different if Enrico's decisions or work blocked other people from going forward andexploring their own (potentially longer-term) options. That's not the case. Much of the work Enrico proposes to do--for example adopting OIDC for sso.debian.org and nm.debian.org--is common across all the solutions. There have been a number of people who have looked at the work involved in changing from one IDP (salsa) to another and concluded that it is well within the sorts of changes we've made in Debian's sso architecture over the years. Independently of Enrico's proposal, and unremarked by everyone who is in this discussion, debian.social has adopted the same strategy. Even if nm.debian.org, contributors.debian.org and sso.debian.org were not going to use salsa, we'd already have salsa being used as a sso solution within Debian. Sam Hartman Debian Project Leader signature.asc Description: PGP signature
Re: Salsa as authentication provider for Debian
> "Julien" == Julien Cristau writes: Julien> On Sat, Apr 11, 2020 at 10:04:55AM +0300, Andrei POPESCU wrote: >> Julien> f...@salsa.debian.org and f...@debian.org both existing and Julien> referring to different people risks causing confusion. I'd Julien> like to understand why we're going that way. We aren't. However, there has been an emerging project consensus that we do not wish for people's usernames (salsa or otherwise, but especially salsa) to change as their role in the project changes. I've been seening this come up again and again throughout my term as DPL: * Disabling people's ability to contribute to salsa when their account was suspended was a significant unintended consequence of DAM actions last year. It created a lot of friction. * That same friction appeared as pushback on recommending salsa in various ways. * As a side thread on the Git Packaging discussion on debian-devel, there was a strong desire to improve this and get to a position where -guest accounts didn't work the way they do today. I did not directly report on that in my consensus call because it was out of scope, but as the person facilitating that discussion, I think we had a presumptive consensus in favor of moving in that direction. * The issues with -guest accounts did impact the consensus call for the Git Packaging discussion in that we had fewer options to recommend for non-DDs starting out packaging. People felt uncomfortable recommending a -guest name for packaging, and the account lifecycle issues significantly complicated that discussion. * It's my reading of the thread here that there was again a rough consensus in favor of not having usernames change as your role in the project changes. Multiple arguments have been advanced and it appears the rough consensus of the discussion here is in favor of the change. Your concern--about foo@salsa and f...@debian.org both existing has been discussed. It's clear there is a desire to minimize this. At least for the pathways involving nm.debian.org, my understanding is that we will avoid this. by requiring that people register a salsa account before obtaining a DSA guest account, DSA could choose to close off the remaining ways in which this conflict emerges. Obviously, the salsa maintainers and nm maintainers don't have the power to make this happen. They have managed the risk in the areas where they can and have notified everyone of the issue. My suspicion is that the project will conclude that even given a residual risk if DSA were not to choose to act, the advantages of having usernames not change is sufficient that the project is unwilling to try to override the salsa maintainers. --Sam signature.asc Description: PGP signature
Re: Salsa as authentication provider for Debian
On Sat, Apr 11, 2020 at 10:04:55AM +0300, Andrei POPESCU wrote: > On Mi, 08 apr 20, 19:40:27, Julien Cristau wrote: > > On Wed, Apr 8, 2020 at 14:30:43 +0200, Bastian Blank wrote: > > > > > Hi Zhu > > > > > > On Wed, Apr 08, 2020 at 07:50:22PM +0800, Shengjing Zhu wrote: > > > > 1. Can you still keep the "-guest" enforcement, so it's still easy to > > > > recognize who is DD or not on salsa? > > > > > > No. The guest suffix was meant to avoid collisions with Debian > > > accounts. And the tool used to enforce it is unmaintained. > > > > > I think avoiding collisions with debian accounts is still valuable, and > > the proposal doesn't explain why removing this protection is in any way > > related or necessary for other services to use salsa as auth providers. > > I must be missing something so I'm asking: what is the *benefit* of > avoiding collisions with Debian accounts? > f...@salsa.debian.org and f...@debian.org both existing and referring to different people risks causing confusion. I'd like to understand why we're going that way. Cheers, Julien
Re: Salsa as authentication provider for Debian
On Sat, 11 Apr 2020 12:02:40 +0200 Jonathan Carter wrote: > [...] > This thread has had lots of discussion so far and no one has listed a > single reason against your proposal yet, IMHO if no one is standing in > your way it's time to just go ahead and do it. Multiple concerns have been raised and subsequently shrugged off. It's clear that no concern raised will make any difference so, yeah... go for it. There's no point continuing typical debian drama for something that's going to be pushed forward regardless.
Re: Salsa as authentication provider for Debian
On 2020/04/10 13:05, Felix Lechner wrote: > As a group, we are driving Enrico up the wall. Let's just get rid of > the old stuff now ... +1 Enrico, your plans sound very sane and from all the information in these threads it seems logical for the project to go ahead with it. What's holding you back at this point? From the initial post from Bastian it does seem that most stakeholders on the admin side have been involved and that they may be on board. I know the salsa admins have been (understandably) reluctant to just jump in on this in the past, have you heard back from them and are they supportive of your idea for the reasons you have listed? This thread has had lots of discussion so far and no one has listed a single reason against your proposal yet, IMHO if no one is standing in your way it's time to just go ahead and do it. -Jonathan -- ⢀⣴⠾⠻⢶⣦⠀ Jonathan Carter (highvoltage) ⣾⠁⢠⠒⠀⣿⡁ https://wiki.debian.org/highvoltage ⢿⡄⠘⠷⠚⠋ https://debian.org | https://jonathancarter.org ⠈⠳⣄ Be Bold. Be brave. Debian has got your back.
Re: Salsa as authentication provider for Debian
On Mi, 08 apr 20, 19:40:27, Julien Cristau wrote: > On Wed, Apr 8, 2020 at 14:30:43 +0200, Bastian Blank wrote: > > > Hi Zhu > > > > On Wed, Apr 08, 2020 at 07:50:22PM +0800, Shengjing Zhu wrote: > > > 1. Can you still keep the "-guest" enforcement, so it's still easy to > > > recognize who is DD or not on salsa? > > > > No. The guest suffix was meant to avoid collisions with Debian > > accounts. And the tool used to enforce it is unmaintained. > > > I think avoiding collisions with debian accounts is still valuable, and > the proposal doesn't explain why removing this protection is in any way > related or necessary for other services to use salsa as auth providers. I must be missing something so I'm asking: what is the *benefit* of avoiding collisions with Debian accounts? While I'm at it, in my opinion as a non-Debian Member, getting rid of the -guest suffix is also slightly more welcoming for new contributors. Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser signature.asc Description: PGP signature
Re: Salsa as authentication provider for Debian
On 10 April 2020 12:05:42 BST, Felix Lechner wrote: >Hi, > >As a group, we are driving Enrico up the wall. Let's just get rid of >the old stuff now and have a discussion about keycloak and >lemonldap-ng at the same time. I fully support this statement also please remember that perfect is the enemy of good. Waldi and Enrico presented a good and viable solution for existing situation which is not blocking nor forbidding anybody to work on another approach in the future. I understand that there is big appetite from DSA and others to implement comprehensive and maintainable ID and user management in Debian. As far as I'm able to understand presented proposal there is nothing in it that would prevent future or even parallel implementation of other solutions. So, please people let them do what they proposed and in the mean time work on the future solution which could be plugged in to what will emerge after Enrico and Waldi are done. kula
