On Thu, Oct 18, 2012 at 11:21 PM, Krzysztof Parzyszek < kparzysz at codeaurora.org> wrote:> On 10/18/2012 4:18 PM, Chandler Carruth wrote: > >> >> Facebook is not the only OAuth provider though. We should be able to >> support essentially any you would prefer if that's all. Manuel's comment >> still stands if OAuth is a problem. >> > > My point is that using an OAuth provider should be an option, not a > de-facto requirement.I hear you, but I'd be interested in why OAuth is a problem for you - as I said, if we have good arguments, the phab guys are really quick to come up with changes. I'm not deeply familiar with authentication schemes. Thanks, /Manuel> > > -- > Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, hosted > by The Linux Foundation > ______________________________**_________________ > LLVM Developers mailing list > LLVMdev at cs.uiuc.edu http://llvm.cs.uiuc.edu > http://lists.cs.uiuc.edu/**mailman/listinfo/llvmdev<http://lists.cs.uiuc.edu/mailman/listinfo/llvmdev> >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20121018/43bb9990/attachment.html>
Krzysztof Parzyszek
2012-Oct-18 21:53 UTC
[LLVMdev] Announcement: Phabricator for code reviews
On 10/18/2012 4:45 PM, Manuel Klimek wrote:> > I hear you, but I'd be interested in why OAuth is a problem for you - as > I said, if we have good arguments, the phab guys are really quick to > come up with changes. I'm not deeply familiar with authentication schemes.What I don't like about it is that those who do not have Facebook, Google or Github accounts will now need to get one in order to access service that's entirely unrelated to any of the account providers. Also, those people who do compiler work for a living may be required to follow certain protocols when communicating with the outside world. Tying it to Facebook or Google may simply not be an option. -K -- Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, hosted by The Linux Foundation
Manuel, On Oct 18, 2012, at 2:45 PM, Manuel Klimek <klimek at google.com> wrote:> I hear you, but I'd be interested in why OAuth is a problem for you - as I said, if we have good arguments, the phab guys are really quick to come up with changes. I'm not deeply familiar with authentication schemes.I know you've already resolved the issue for me with a manually created account, but to reiterate my reasons from that earlier conversation: For me, the concerns are much more about privacy than about security. I'm not really bothered by the idea of my Phabricator account being compromised, and I will use one-off credentials to ensure that a compromise of it will not impact other accounts that I care about more. What does bother me is the loss of privacy implied by sharing a login system between Phabricator and any of the various OAuth providers. I'm not interested in having my identity shared across systems, particularly when some of those systems are built for and funded by correlating as much of that identity information as possible and using it for advertising. From this perspective, using a Github OAuth is the *least bad* alternative, but it's still not a direction that I want to encourage. --Owen -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20121018/72286f9e/attachment.html>
Thanks, I've created https://secure.phabricator.com/T1930. Until that is resolved I'll create accounts for anybody who doesn't want to use OAuth - just shoot me a mail. Cheers, /Manuel On Fri, Oct 19, 2012 at 12:03 AM, Owen Anderson <resistor at mac.com> wrote:> Manuel, > > On Oct 18, 2012, at 2:45 PM, Manuel Klimek <klimek at google.com> wrote: > > I hear you, but I'd be interested in why OAuth is a problem for you - as I > said, if we have good arguments, the phab guys are really quick to come up > with changes. I'm not deeply familiar with authentication schemes. > > > I know you've already resolved the issue for me with a manually created > account, but to reiterate my reasons from that earlier conversation: > > For me, the concerns are much more about privacy than about security. I'm > not really bothered by the idea of my Phabricator account being > compromised, and I will use one-off credentials to ensure that a compromise > of it will not impact other accounts that I care about more. > > What* does* bother me is the loss of privacy implied by sharing a login > system between Phabricator and any of the various OAuth providers. I'm not > interested in having my identity shared across systems, particularly when > some of those systems are built for and funded by correlating as much of > that identity information as possible and using it for advertising. From > this perspective, using a Github OAuth is the *least bad* alternative, but > it's still not a direction that I want to encourage. > > --Owen >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20121019/a4a69168/attachment.html>
Jakob Stoklund Olesen
2012-Oct-18 22:23 UTC
[LLVMdev] Announcement: Phabricator for code reviews
On Oct 18, 2012, at 2:45 PM, Manuel Klimek <klimek at google.com> wrote:> I hear you, but I'd be interested in why OAuth is a problem for youThe privacy policies you would have to agree to are really scary, possibly even illegal in Europe. It seems like a completely unnecessary obstacle to participating in code review. Are you concerned about unauthorized reviews? Drive-by LGTMs? /jakob -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20121018/d61e6b8a/attachment.html>
On Fri, Oct 19, 2012 at 12:23 AM, Jakob Stoklund Olesen <stoklund at 2pi.dk>wrote:> > On Oct 18, 2012, at 2:45 PM, Manuel Klimek <klimek at google.com> wrote: > > I hear you, but I'd be interested in why OAuth is a problem for you > > > The privacy policies you would have to agree to are really scary, possibly > even illegal in Europe. > > It seems like a completely unnecessary obstacle to participating in code > review. > > Are you concerned about unauthorized reviews? Drive-by LGTMs? >I'm not concerned at all. I think having a login has a lot of usability features for a website (showing you your configured stuff, setting up rules, etc). I myself was surprised that phabricator didn't offer a simple "sign me up with a name and an insecure password I hand you" workflow. Cheers, /Manuel -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20121019/757fbbc7/attachment.html>
On 18 Oct 2012, at 23:03, Owen Anderson wrote:> For me, the concerns are much more about privacy than about security. I'm not really bothered by the idea of my Phabricator account being compromised, and I will use one-off credentials to ensure that a compromise of it will not impact other accounts that I care about more. > > What does bother me is the loss of privacy implied by sharing a login system between Phabricator and any of the various OAuth providers. I'm not interested in having my identity shared across systems, particularly when some of those systems are built for and funded by correlating as much of that identity information as possible and using it for advertising. From this perspective, using a Github OAuth is the *least bad* alternative, but it's still not a direction that I want to encourage.Completely in agreement. Requiring a third-party login is a good reason for not using a service. David
Possibly Parallel Threads
- [LLVMdev] Announcement: Phabricator for code reviews
- [LLVMdev] Announcement: Phabricator for code reviews
- [LLVMdev] Announcement: Phabricator for code reviews
- [LLVMdev] Announcement: Phabricator for code reviews
- [LLVMdev] Announcement: Phabricator for code reviews