On Fri, May 29, 2015 at 04:24:04PM +0100, Long, Martin wrote: > > I didn't want to come across as hostile. I know I haven't contributed a LOT > to the project like some others. Unfortunately, although I'm a developer, > C/C++ are not strengths of mine, so contributing code is difficult, but I > was just offering a contribution in the form of some feedback from my > perspective.
I apologize that my response to your feedback and perspective was rather aggressive. I guess you hit a few sore spots on my mantel of thick skin that you need to be an open source maintainer... > You can get FREE SSL certificates, which are accepted by all of the major > browsers, from StartSSL. They do simple verification using email, and you > can get them straight away. I use them all the time. It's secure, but they > just don't offer the monetary guarantees that the big providers offer, > making it unsuitable for ecommerce. StartSSL is such an unbelievable pain in the rear it's not even funny. I used to use them and at some point just gave up. They twice randomly decided that there were undefined "issues" with my application and forced me to a $50 ID verification process. And recovery of your credentials is impossible, yet they expire after one year - so unless you are super proactive (note: I'm not) you go through this crap once every 364 days. I cannot wait for the LF to launch their initiative to get free SSL certificates. All that said, I have ssh based authentication working on my git server. I do NOT have https/user/passwd based authentication working. So regardless of the certificate issue, it still would require more effort on my side. I am very serious - if someone wants to investigate a way to automate things to set up repositories at some other public site with acceptable usage terms and EULA that can be seamless to the user and is https based - I would ABSOLUTELY LOVE THAT. But I have to prioritize my time - I already barely have the time to do the things I do and other intersts and duties of mine suffer because of all the time I spend on Subsurface. I simply don't expect that I'll be able to get this implemented any time soon. Whereas I have ssh authentication working and believe that I understand what it will take to implement the backend infrastructure for that. > I quite understand that we need to keep this simple for the user, and hence > my suggestion to use https.I thought it would be simpler to do this using > http/https than it would using a convoluted method of fetching and > decrypting a key using a REST api, especially when the result is ultimately > the same - login using a username/password. I don't think at any point did > I suggest that [non-advance] users should be creating SSH keys, rather that > we ought to consider user/password security over http as a better fit > implementation for that use case. See above. That would require that I implement this on the back end. /D _______________________________________________ subsurface mailing list subsurface@subsurface-divelog.org http://lists.subsurface-divelog.org/cgi-bin/mailman/listinfo/subsurface