Hey!

Last Friday I deployed a new version of the Mailman / Postorius /
HyperKitty stack on prod. There are a lot of improvements, but one of the
most visible (and maybe the main reason for writing those changes) is the
login system. Previously, we mainly relied on Mozilla Persona and FAS. As
you may know, Persona will be shut down soon (end of November), so we can't
rely on it anymore.

The new system implements more external login providers *and* local
authentication, with the classical workflows (user signup, email
verification, password reminders, etc). This is for people who don't have
or don't want to use external login providers.

When I deployed it, I had feedback from people on the infra group that it
creates another user database that isn't managed and audited as well as
FAS, and that if people are willing to signup to Mailman, they might as
well signup to FAS.
The problem is: former Persona users have been migrated to local accounts
(because there soon won't be an external reference to point at anyway) and
those people must still be able to access their accounts. They currently do
that by requesting a password ("I forgot my password" process).
They can't login through another external service and just add their
existing address, since it is not allowed to add an address belonging to
another user.

I've thought about that over the weekend and I think we could just disable
user signup by redirecting users to FAS. This way existing Persona users
could still request a password and login, but the bulk of new users would
just create accounts in FAS. Of course we would sill have a database with
passwords for some users, but since (to my knowledge) former Persona users
can't be migrated to FAS directly, I don't think we can avoid that.

For those who had nightmares for too long with the Mailman 2 plaintext
password storage and fear it's coming back, rest assured that the passwords
are hashed and salted by Django. There may even be pepper and garlic.
That said, security vulnerabilities in Django are always possible, but
we're using the long term support release and I'm following updates.

This is what I propose changing the signup page to:
https://lists.stg.fedoraproject.org/accounts/signup/
Please correct my wording if it needs to.

Thoughts, suggestions?

Aurélien
_______________________________________________
infrastructure mailing list -- infrastructure@lists.fedoraproject.org
To unsubscribe send an email to infrastructure-le...@lists.fedoraproject.org

Reply via email to