[Sugar-devel] Social Help

[James Cameron]

On Thu, Sep 18, 2014 at 06:54:07AM +1000, Sam P. wrote:
> Hi Gonzalo, James and Walter
> 
> Sorry about the social sign ins not working.  I think I know what
> the underlying issue is and I will fix tonight.  In the meantime, I
> have disabled those sign ins.

I confirm they are disabled.  I tried to reproduce the problem
reported by Walter and Gonzalo, but the site no longer reacted in the
way I remember.  This was frustrating, because it meant I could no
longer see the problem.  Such software implementations are often
frustrating; change is outside the control of the user, and when a
change is made it isn't obvious what the trigger is.  I was about to
check whether my browser version had changed.  ;-)

> re. James not wanting to give me his GitHub account
> ("...Trust...Security..."):
> 
> When you sign in with on of these, I never see your username and
> password.  You login to the site and the site gives me a token. 
> Later, I can use this token to view only what I have asked you for;
> so like your email and avatar basically. I can not use that
> information to do anything on your GitHub account.  And you can
> revoke the token in the settings.

Yes, I don't want _you_ to be responsible for processing a token that
GitHub provides on my _alleged_ behalf.  If GitHub is compromised, and
generates tokens without my permission, then your site would be
compromised in short order.  I don't see how you can accept that risk,
but I don't have the same acceptance of risk you have.  I'm okay with
you taking on that risk for other people, that's your decision, but
for me I don't feel I should put you to the trouble.  It means I must
assume that posts by others may be forged _if_ it is discovered that
GitHub is compromised.  However, GitHub may be compromised without my
discovering it.  So I must assume that posts by others may be forged.

Hope that helps you understand me!  ;-)

-- 
James Cameron
http://quozl.linux.org.au/