On Thu, 20 Oct 2016 19:32:42 -0400 Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> wrote: > On Thu, Oct 20, 2016 at 04:25:23PM -0700, stan wrote: > > > Currently, you can login via any of the providers listed here: > > > https://lists.fedoraproject.org/accounts/login/ > > > yahoo, generic openid, google, fedora, twitter, github, gitlab, > > > facebook, stack exchange. > > > > I've been thinking about this. It seems like security is being > > traded off for convenience. If a breach of security occurs (like > > the yahoo breach), it means that multiple accounts are now > > compromised. I can see where it becomes easier to administer since > > the responsibility for administration is now someone else's > > responsibility. > > > > Am I missing something? > > Well, mailman2 passwords were always kind of a joke anyway, since you > could reset it with your email address; if you're subscribed with a > yahoo account and your yahoo password is compromised, they could log > in. > > But beyond that, security is relative to risk, and related to that, > consequences of failure. What are the consequences here? > I read this as saying that you are agreeing that it is a security risk, but that what is being risked is of so little value that any compromise of security is not worthy of consideration. And that seems to make sense in this case. I then think that Fedora is using all those other accounts as a sort of 'captcha' filter to prevent spam from getting to the list. Otherwise, why bother having any security at all to sign up for a mailing list? Just take the email address, send a confirmation, get a response, and bob's your uncle. In fact, given that a spammer could set up their own openid server, there really isn't any security at all. I suppose the work of setting up and maintaining the server is a hurdle to prevent casual abuse. _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx