On 28.06.2017 23:51, Aaron Wolf wrote:
> On 06/28/2017 02:04 PM, Bryan Richter wrote:
>> While poking around the admin panel for git.snowdrift.coop's githost
>> account, I found that I can enable GitHub OAuth.
>> I've already turned it on as an experiment. Should we leave it on?
>> Pros: 
>> - New devs, who probably already have GitHub accounts, can easily
>>   create an account on git.snowdrift.coop. Less friction.
>> Cons:
>> - GitHub knows when these people sign in to git.snowdrift.coop.
>> - OAuth login is not compatible with two-factor auth.
>> I think the pros outweigh the cons. Creating an account is the "hard"
>> part... enabling passphrase login and two-factor auth can be done
>> later.
>> I have put a message listing the cons on the login page. You can see
>> it quickly by viewing https://git.snowdrift.coop/users/sign_in in a
>> private/incognito window.
>> Any thoughts or feedback?
>> P.S. Amusingly, we can also use git.snowdrift.coop *as an OAuth
>> provider*, if we wanted to use it to log in to other sites...
> Interesting. Anyone making commits that get to master will be mirrored
> to GitHub anyway. Anyone who cares about being free of GitHub can still
> do that.
> I think that allowing it with qualifications and not treating it as the
> default sounds good. I would object to Facebook or something like that
> because (well, not sure that's OAuth even) Facebook is a more deeply
> horrible company. GitHub is at the level where I like acknowledging
> known issues and then maximizing participation from both of two groups:
> those who would be upset at us fully embracing GitHub (like just using
> GitHub directly) and those who will be turned off by barriers to entry
> (such as not using GitHub directly).
> I think qualified GitHub OAuth is an excellent balance.

I feel we should not jump to so many hoops to turn our back on github
but then stick their logo on our gitlab repo anyway.

If catering to "lazy" devs is important I'm ok with treating github as a
second class citizen. So the "Sign in with *GITHUBLOGO*" could be a
textual note only.

I created a realted issue that shows what I would have in mind:

Attachment: signature.asc
Description: OpenPGP digital signature

Discuss mailing list

Reply via email to