[Sugar-devel] Social Help
James Cameron
quozl at laptop.org
Wed Sep 17 17:41:13 EDT 2014
On Thu, Sep 18, 2014 at 06:54:07AM +1000, Sam P. wrote:
> Hi Gonzalo, James and Walter
>
> Sorry about the social sign ins not working. I think I know what
> the underlying issue is and I will fix tonight. In the meantime, I
> have disabled those sign ins.
I confirm they are disabled. I tried to reproduce the problem
reported by Walter and Gonzalo, but the site no longer reacted in the
way I remember. This was frustrating, because it meant I could no
longer see the problem. Such software implementations are often
frustrating; change is outside the control of the user, and when a
change is made it isn't obvious what the trigger is. I was about to
check whether my browser version had changed. ;-)
> re. James not wanting to give me his GitHub account
> ("...Trust...Security..."):
>
> When you sign in with on of these, I never see your username and
> password. You login to the site and the site gives me a token.
> Later, I can use this token to view only what I have asked you for;
> so like your email and avatar basically. I can not use that
> information to do anything on your GitHub account. And you can
> revoke the token in the settings.
Yes, I don't want _you_ to be responsible for processing a token that
GitHub provides on my _alleged_ behalf. If GitHub is compromised, and
generates tokens without my permission, then your site would be
compromised in short order. I don't see how you can accept that risk,
but I don't have the same acceptance of risk you have. I'm okay with
you taking on that risk for other people, that's your decision, but
for me I don't feel I should put you to the trouble. It means I must
assume that posts by others may be forged _if_ it is discovered that
GitHub is compromised. However, GitHub may be compromised without my
discovering it. So I must assume that posts by others may be forged.
Hope that helps you understand me! ;-)
--
James Cameron
http://quozl.linux.org.au/
More information about the Sugar-devel
mailing list