Here's my $0.02 (adjusted for inflation):
On Sat, Sep 4, 2010 at 11:32 AM, Zygmunt Krynicki < zygmunt.krynicki@linaro.org> wrote:
I think that for our internal use cases a best option would be launchpad integration. We don't mind using launchpad, we already have accounts there. We could use oauth for authentication. I'm not an expect on oauth
...
For a centralized installation this would be pretty good. For ad-hoc installations it could be difficult to setup but I'm just guessing here.
As you mention, for ad-hoc installations, this could be a problem. While
this does have a certain appeal to it, it also looks like it would take quite a bit more time and effort to implement this, with no compelling need visible at this point. We can revisit whether that is still the case down the road, and possibly support it as an option in the future, but for now I think it better to take a simpler approach.
Other options are (off the top of my head):
- Basic/Digest HTTP authentication. Digest is pretty good (or so
I think this would fit our needs just fine.
- Custom authentication via special XML-RPC methods and some
I think we all agree this is not desirable
- - No authentication at all. All XML-RPC interfaces are public and anyone
may call them. Surprisingly this is not such a bad option. Since all request would be anonymous all the users would be allowed to do is upload data to public "directories". All other interaction would have to be performed via the website or the administration panel.
I can certainly see the logic here, and discounting the possibility of a nefarious spammer flooding our server with junk, I think it's worth consideration. My concerns revolve around what it might complicate on the back end. If we want to go this route, I think the impact needs to be better defined. - With lots of possible submissions, without any kind of identification attached to them, how do I find my submission in the haystack? - You mentioned uploading to "directories", which could fix the above partially, but what prevents someone from uploading to my directory, even by accident (for instance, if they have a similar name and just happen to choose the same "path" as me) - Are results publicly automatically? If not, who has the authority to approve them? And if you restrict access to this, aren't we back to providing an authentication mechanism again, but just complicating the process by which results are posted? ... You can see my line of thinking here I hope. I'm not saying it's a bad option, just that there are some implementation details that span farther than just the auth stage that need to be clearly defined first, if we want to go in this direction.
Thanks, Paul Larson