Bug#984999: sso.debian.org is deprecated

2021-03-12 Thread Raphael Hertzog 
Hi,

On Thu, 11 Mar 2021, Antoine Beaupre wrote:
> According to the sso.debian.org wiki page, the service is
> "deprecated":
> 
> > If you are a service admin please look into using Salsa for this
> > purpose. 
> 
> It seems to me that tracker.debian.org should follow this deprecation
> and stop using sso.debian.org as a single sign on source, especially
> now that Firefox in stable (78, buster) does not support the 
> tag (dropped from Firefox 69) which makes enrolling client certs
> particularly painful.

Yeah, but I don't see a reason to disable this until someone has
contributed OIDC authentication with salsa.debian.org.

I haven't even looked at what it entails. We don't seem to have
pyoidc in Debian (https://github.com/rohe/pyoidc) and I don't see
any other Python implementation.

I wonder what nm.debian.org uses for this.

> Apparently, you can still generate client-sides certs with "web
> crypto", whatever that means... But that's kind of out of scope here. 

I managed to renew my certificate by following the instructions
on sso.debian.org at least.

Cheers,
-- 
  ⢀⣴⠾⠻⢶⣦⠀   Raphaël Hertzog 
  ⣾⠁⢠⠒⠀⣿⡁
  ⢿⡄⠘⠷⠚⠋The Debian Handbook: https://debian-handbook.info/get/
  ⠈⠳⣄   Debian Long Term Support: https://deb.li/LTS

Bug#984999: sso.debian.org is deprecated

2021-03-12 Thread Mattia Rizzolo 
On Fri, Mar 12, 2021 at 01:48:48PM +0100, Raphael Hertzog wrote:
> On Thu, 11 Mar 2021, Antoine Beaupre wrote:
> > According to the sso.debian.org wiki page, the service is
> > "deprecated":
> > 
> > > If you are a service admin please look into using Salsa for this
> > > purpose. 

I'm oh so much looking forward to what we'll do in 5-10 years when salsa
will suddenly become deprecated as well :/

> Yeah, but I don't see a reason to disable this until someone has
> contributed OIDC authentication with salsa.debian.org.
> 
> I haven't even looked at what it entails. We don't seem to have
> pyoidc in Debian (https://github.com/rohe/pyoidc) and I don't see
> any other Python implementation.
> 
> I wonder what nm.debian.org uses for this.

enrico developed this actually very nice piece of code that allow to
associate "identities" to accounts, effectively providing multiple login
methods.  It's actually incredibly simple, though of course it could do
with a few improvements here and there…
https://salsa.debian.org/nm-team/nm.debian.org/-/tree/master/signon
That's also used by contributors.d.o and debtags.d.n, so we were
thinking of splitting the "app" out of them to reduce the duplication.

Incidentally, the fact that the salsa admins decided to not force
account names with -guest anymore, also means that you can't easily
associate salsa accounts to DDs anymore, and AFAIK there is no good way
to establish that as of now (the nm API is not publicly advertising the
salsa accounts details of DDs ATM (that's part of a private API for
salsa only though), and of course the salsa admins don't fancy patching
gitlab to expose that detail).
So, even if you implemented the above thing, associating everybody's
salsa "identities" to their already existing tracker.d.o accounts would
prove incredibly difficult.  Good luck.

> > Apparently, you can still generate client-sides certs with "web
> > crypto", whatever that means... But that's kind of out of scope here. 
> 
> I managed to renew my certificate by following the instructions
> on sso.debian.org at least.

chrome also hasn't supported online keygen for years, but I argue it's
still trivial to get a certificate.

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
More about me:  https://mapreri.org : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature

Bug#984999: sso.debian.org is deprecated

2021-03-12 Thread Mattia Rizzolo 
On Fri, Mar 12, 2021 at 02:36:58PM +0100, Raphael Hertzog wrote:
> Actually, tracker.debian.org is very much e-mail centric. Does signon
> return a list of authenticated emails associated to the identity ?

"signon" has nothing to do with emails.  It only associates "identities"
(defined as what identity a person, be it a SSL certificate or a OpenID
thing) to whatever the local idea of an "account" is.

I don't have a good understanding of how distro-tracker handles the
emails and accounts, but from what I could see of its models in the
past, I think you should just associate "signon" to the
django_email_accounts.models.User, but you clearly need something extra
to handle the emails: for "debsso" (the name signon gives to the SSL
certs from sso.d.o) you can probably default to their username field;
for salsa probably you need to get the salsa account email address and
match that?

> And tracker.debian.org has currently no special privileges for Debian
> developers... except that when you have a debian.org email, you are
> forced to use the SSO (IIRC).

Right.  I was mostly talking more generically here.

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
More about me:  https://mapreri.org : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature

Bug#984999: sso.debian.org is deprecated

2021-03-12 Thread Raphael Hertzog 
Hi,

On Fri, 12 Mar 2021, Mattia Rizzolo wrote:
> Incidentally, the fact that the salsa admins decided to not force
> account names with -guest anymore, also means that you can't easily
> associate salsa accounts to DDs anymore, and AFAIK there is no good way
> to establish that as of now (the nm API is not publicly advertising the
> salsa accounts details of DDs ATM (that's part of a private API for
> salsa only though), and of course the salsa admins don't fancy patching
> gitlab to expose that detail).
> So, even if you implemented the above thing, associating everybody's
> salsa "identities" to their already existing tracker.d.o accounts would
> prove incredibly difficult.  Good luck.

Actually, tracker.debian.org is very much e-mail centric. Does signon
return a list of authenticated emails associated to the identity ?

And tracker.debian.org has currently no special privileges for Debian
developers... except that when you have a debian.org email, you are
forced to use the SSO (IIRC).

Cheers,
-- 
  ⢀⣴⠾⠻⢶⣦⠀   Raphaël Hertzog 
  ⣾⠁⢠⠒⠀⣿⡁
  ⢿⡄⠘⠷⠚⠋The Debian Handbook: https://debian-handbook.info/get/
  ⠈⠳⣄   Debian Long Term Support: https://deb.li/LTS


signature.asc
Description: PGP signature