Dan Kegel wrote:
Steven Edwards wrote:
Based upon my recollection there was a lot of contempt for OpenID at the last wineconf. Maybe the situation has changed recently...
For those new to the story, OpenID is incredibly insecure. See for example http://marcoslot.net/apps/openid/ http://www.gnucitizen.org/blog/hijacking-openid-enabled-accounts/ http://www.techafina.com/posts/openid-benefits-and-risks/ http://kuza55.blogspot.com/2007/01/insecure-openid-features.html Moreover, it's hard to use, as shown by usability testing at Yahoo: http://www.betanews.com/article/Yahoo-usability-tests-bode-ill-for-OpenID-ta...
In short: if you care about your data or your identity, stay far away from OpenID.
All our WineHQ data is public though -- is there still a risk if we restrict the allowed OpenID providers to the main WineHQ one?
Now, if you absolutely must use OpenID, there are people working on making it more secure. For instance, Google is giving it a shot; see http://google-code-updates.blogspot.com/2009/05/google-openid-api-taking-nex... But I doubt the wine community wants to go there.
Better to implement a plain old shared password database between our four services.
- Dan
This would be nice, but we don't have any premade tools for getting bugzilla and friends talking to one another that way. I'm not sure how difficult that is to do from scratch, though it might not be substantially harder than integrating the OpenID stuff.
Thanks, Scott Ritchie