> Build something that works for some subset of the use cases first, then we > can worry about edge cases and scaling.
Before starting code, is this project have no chance to selection for GSoC 2015? I want to attend the GSoC 2015 with this project if available. 2015-02-21 3:00 GMT+09:00 Bryan Davis <[email protected]>: > On Fri, Feb 20, 2015 at 10:56 AM, Gerard Meijssen > <[email protected]> wrote: >> Hoi, >> I have been at Meta ... I do not see it, I do not understand it .. What >> should I do to enable this ? >> Thanks, >> GerardM > > This thread is basically a discussion of a proposed MediaWiki feature. > See <https://phabricator.wikimedia.org/T30085> for additional context. > > >> On 20 February 2015 at 18:53, Bryan Davis <[email protected]> wrote: >> >>> On Fri, Feb 20, 2015 at 9:52 AM, devunt <[email protected]> wrote: >>> > We should consider some edge cases like: >>> > >>> > * More than two accounts with exactly same email and password. >>> > -> In this case, which account should be chosen for logged-in? Maybe >>> > account selector could be one of the answers. >>> > >>> > * If there's a 42 accounts with same email. >>> > -> Should mediawiki try to check password forty two times? It will >>> > takes _very_ long time as enough to cause gateway timeout. Which means >>> > nobody can log in to that account. >>> > -> To avoid timing attack completely, should mediawiki calculate hash >>> > of all users forty two times as same as above user? >>> >>> Minimum viable product assumption: >>> >>> Given that authentication is attempted with an (email, password) pair >>> When more than one account matches email >>> Then perform one data load and hash comparison to mitigate timing attacks >>> and fail authentication attempt >>> >>> A community education campaign could easily be launched to notify >>> users that this invariant will hold for email based authentication and >>> give instructions on how to change the email associated with an >>> account. The target audience for email based authentication (newer >>> users who think of email addresses as durable tokens of their >>> identity) will not be likely to be effected or even aware of the >>> multiple account disambiguation problem. >>> >>> Bryan >>> -- >>> Bryan Davis Wikimedia Foundation <[email protected]> >>> [[m:User:BDavis_(WMF)]] Sr Software Engineer Boise, ID USA >>> irc: bd808 v:415.839.6885 x6855 >>> >>> _______________________________________________ >>> Wikitech-l mailing list >>> [email protected] >>> https://lists.wikimedia.org/mailman/listinfo/wikitech-l >>> >> _______________________________________________ >> Wikitech-l mailing list >> [email protected] >> https://lists.wikimedia.org/mailman/listinfo/wikitech-l > > > > -- > Bryan Davis Wikimedia Foundation <[email protected]> > [[m:User:BDavis_(WMF)]] Sr Software Engineer Boise, ID USA > irc: bd808 v:415.839.6885 x6855 > > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
