Luca Filipozzi <lfili...@debian.org> writes: > I think that our services -- such as SCM, CI/CD, Wiki, RT, etc. -- > should evolve indepdently from the SSO infrastructure. One could argue > that RT has a user database thatcould be used as authenticaion service > if exposed correctly. Or the Wiki.
Let me try to rephase this and see if I understand. Your concern is that by using Salsa as the IdP, we're coupling identity in Debian too closely to one component of our development infrastructure, and thus possibly creating roadblocks in the future? For example, we might want to switch to a different SCM platform that doesn't provide an IdP, or we may want IdP features that aren't a priority for GitLab? That argument does make sense to me. This path more tightly couples the project to the Salsa deployment. However, I personally am not *too* worried about this because OIDC makes it possible to migrate IdPs without too many problems. This is where a standardized protocol helps considerably. There would still be some challenges in exporting and converting the Salsa identity database, but we have all that data and could do that work. I agree with you that this is a risk, and it might be good to do some planning work up-front to identify the data we're storing in Salsa that we may want to move to some other platform like Keycloak in the future, but I think it's a risk we can mitigate. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
