Hey All. On 28.05.22 11:53, Aaron Junker wrote:
Hi all,I would like to start the discussion on my RFC for creating a global login system on php.net: https://wiki.php.net/rfc/global_login. When you have feedback to a specific point of the RFC, please use the corresponding number used in the RFC.
I do have my issues with the general RFC.The idea to have one login system to all parts of the PHP internals ecosystem seems tempting for sure. But as you pointed out in the introduction, there are 9 different services - partly rather old ones - that would require some work to make SSO work. Some of them we have control over, some of them we do not (as those are external applications that we are using. Fiddling with their sourcecode might be possible but will leave us more or less unable to update the tools)
So moving those applications that we have control over towards SSO will bind resources. And not only now, but also in the future as those tools might need updates as well.
Resources though, espechialy for infrastructure, are a very rare good!In addition I would say that we can assume the edit.php.net to be dead after we moved documentation from SVN to git. So that is awesome as that means "one down" and we couldn't already find someone to modify edit.php.net to work with git instead of SVN. So that's great news!
But the bad news is, that there is also the colobus system which powers the NNTP-server backend that a number of people use to interact with the mailing-list. Which also has an authentication and would therefore need to be switched. So we are back at 9 services. And we switched one that is completely under our control to one that isn't as we are merely using a (rather old by now) service.
And there might even be more than those.So what I'm trying to bring across here is that this task will bind a lot of resources with a gain that I'm not sure is worth the effort. And instead of binding people working on resources that improve the life of a few (those working on these quirky systems) I'd rather see those resources spent where they improve the life of all PHP-Developers. Like improving the docs, triaging bugs, answering questions on StackOverflow/Room11/PHPC/Whatever else there is.
In addition to that I would like to raise my concerns over using GitHub login for everything (Topic 1.2).
GitHub is a company based in the US and therefore bound to US law. That already means that people from certain countries can not (easily) collaborate and are therefore also excluded from contributing in any way to PHP[1]. In addition to those regulations directly by GitHub some countries are blocking access to GitHub on their own account which means that Developers from Russia or China will have a harder time contributing to PHP due to the fact that they are not able to login into any system.
Are we aware of that?On the other hand maintaining our own SSO-Solution will bind even more resources... See above.
In addition: The number of different logins is usually rather small per person. And keeping track of the different systems and passwords via a PasswordManager should solve most of the day-to-day hassle. Having a central place though to document the hassle would be a very helpful addition to the PHP ecosystem!
My 0.02€ CheersAndreas - The one having struggled for some years with just *one* infra-change.
[1] https://docs.github.com/en/site-policy/other-site-policies/github-and-trade-controls#on-which-countries-and-territories-are-us-government-sanctions-applied
Best regards Aaron Junker
--
,,,
(o o)
+---------------------------------------------------------ooO-(_)-Ooo-+
| Andreas Heigl |
| mailto:andr...@heigl.org N 50°22'59.5" E 08°23'58" |
| https://andreas.heigl.org |
+---------------------------------------------------------------------+
| https://hei.gl/appointmentwithandreas |
+---------------------------------------------------------------------+
OpenPGP_0xA8D5437ECE724FE5.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
