llvm dev - Oct 2012 - [LLVMdev] Announcement: Phabricator for code reviews

On Thu, Oct 18, 2012 at 11:21 PM, Krzysztof Parzyszek <
kparzysz at codeaurora.org> wrote:
> On 10/18/2012 4:18 PM, Chandler Carruth wrote:
>
>>
>> Facebook is not the only OAuth provider though. We should be able to
>> support essentially any you would prefer if that's all.
Manuel's comment
>> still stands if OAuth is a problem.
>>
>
> My point is that using an OAuth provider should be an option, not a
> de-facto requirement.

I hear you, but I'd be interested in why OAuth is a problem for you - as I
said, if we have good arguments, the phab guys are really quick to come up
with changes. I'm not deeply familiar with authentication schemes.

Thanks,
/Manuel

>
>
> --
> Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, hosted
> by The Linux Foundation
> ______________________________**_________________
> LLVM Developers mailing list
> LLVMdev at cs.uiuc.edu         http://llvm.cs.uiuc.edu
>
http://lists.cs.uiuc.edu/**mailman/listinfo/llvmdev<http://lists.cs.uiuc.edu/mailman/listinfo/llvmdev>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.llvm.org/pipermail/llvm-dev/attachments/20121018/43bb9990/attachment.html>

On 10/18/2012 4:45 PM, Manuel Klimek wrote:
>
> I hear you, but I'd be interested in why OAuth is a problem for you -
as
> I said, if we have good arguments, the phab guys are really quick to
> come up with changes. I'm not deeply familiar with authentication
schemes.
What I don't like about it is that those who do not have Facebook, 
Google or Github accounts will now need to get one in order to access 
service that's entirely unrelated to any of the account providers. 
Also, those people who do compiler work for a living may be required to 
follow certain protocols when communicating with the outside world. 
Tying it to Facebook or Google may simply not be an option.

-K

-- 
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, 
hosted by The Linux Foundation

Manuel,

On Oct 18, 2012, at 2:45 PM, Manuel Klimek <klimek at google.com> wrote:
> I hear you, but I'd be interested in why OAuth is a problem for you -
as I said, if we have good arguments, the phab guys are really quick to come up
with changes. I'm not deeply familiar with authentication schemes.
I know you've already resolved the issue for me with a manually created
account, but to reiterate my reasons from that earlier conversation:

For me, the concerns are much more about privacy than about security.  I'm
not really bothered by the idea of my Phabricator account being compromised, and
I will use one-off credentials to ensure that a compromise of it will not impact
other accounts that I care about more.

What does bother me is the loss of privacy implied by sharing a login system
between Phabricator and any of the various OAuth providers.  I'm not
interested in having my identity shared across systems, particularly when some
of those systems are built for and funded by correlating as much of that
identity information as possible and using it for advertising.  From this
perspective, using a Github OAuth is the *least bad* alternative, but it's
still not a direction that I  want to encourage.

--Owen
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.llvm.org/pipermail/llvm-dev/attachments/20121018/72286f9e/attachment.html>

Thanks, I've created https://secure.phabricator.com/T1930.
Until that is resolved I'll create accounts for anybody who doesn't want
to
use OAuth - just shoot me a mail.

Cheers,
/Manuel


On Fri, Oct 19, 2012 at 12:03 AM, Owen Anderson <resistor at mac.com>
wrote:
> Manuel,
>
> On Oct 18, 2012, at 2:45 PM, Manuel Klimek <klimek at google.com>
wrote:
>
> I hear you, but I'd be interested in why OAuth is a problem for you -
as I
> said, if we have good arguments, the phab guys are really quick to come up
> with changes. I'm not deeply familiar with authentication schemes.
>
>
> I know you've already resolved the issue for me with a manually created
> account, but to reiterate my reasons from that earlier conversation:
>
> For me, the concerns are much more about privacy than about security. 
I'm
> not really bothered by the idea of my Phabricator account being
> compromised, and I will use one-off credentials to ensure that a compromise
> of it will not impact other accounts that I care about more.
>
> What* does* bother me is the loss of privacy implied by sharing a login
> system between Phabricator and any of the various OAuth providers.  I'm
not
> interested in having my identity shared across systems, particularly when
> some of those systems are built for and funded by correlating as much of
> that identity information as possible and using it for advertising.  From
> this perspective, using a Github OAuth is the *least bad* alternative, but
> it's still not a direction that I  want to encourage.
>
> --Owen
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.llvm.org/pipermail/llvm-dev/attachments/20121019/a4a69168/attachment.html>

On Oct 18, 2012, at 2:45 PM, Manuel Klimek <klimek at google.com> wrote:
> I hear you, but I'd be interested in why OAuth is a problem for you
The privacy policies you would have to agree to are really scary, possibly even
illegal in Europe.

It seems like a completely unnecessary obstacle to participating in code review.

Are you concerned about unauthorized reviews? Drive-by LGTMs?

/jakob

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.llvm.org/pipermail/llvm-dev/attachments/20121018/d61e6b8a/attachment.html>

On Fri, Oct 19, 2012 at 12:23 AM, Jakob Stoklund Olesen <stoklund at
2pi.dk>wrote:
>
> On Oct 18, 2012, at 2:45 PM, Manuel Klimek <klimek at google.com>
wrote:
>
> I hear you, but I'd be interested in why OAuth is a problem for you
>
>
> The privacy policies you would have to agree to are really scary, possibly
> even illegal in Europe.
>
> It seems like a completely unnecessary obstacle to participating in code
> review.
>
> Are you concerned about unauthorized reviews? Drive-by LGTMs?
>
I'm not concerned at all. I think having a login has a lot of usability
features for a website (showing you your configured stuff, setting up
rules, etc). I myself was surprised that phabricator didn't offer a simple
"sign me up with a name and an insecure password I hand you" workflow.

Cheers,
/Manuel
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.llvm.org/pipermail/llvm-dev/attachments/20121019/757fbbc7/attachment.html>

On 18 Oct 2012, at 23:03, Owen Anderson wrote:
> For me, the concerns are much more about privacy than about security. 
I'm not really bothered by the idea of my Phabricator account being
compromised, and I will use one-off credentials to ensure that a compromise of
it will not impact other accounts that I care about more.
> 
> What does bother me is the loss of privacy implied by sharing a login
system between Phabricator and any of the various OAuth providers.  I'm not
interested in having my identity shared across systems, particularly when some
of those systems are built for and funded by correlating as much of that
identity information as possible and using it for advertising.  From this
perspective, using a Github OAuth is the *least bad* alternative, but it's
still not a direction that I  want to encourage.
Completely in agreement.  Requiring a third-party login is a good reason for not
using a service.

David