James Hawkins wrote:
On Fri, Mar 14, 2008 at 9:52 PM, James McKenzie
<jjmckenzie51@xxxxxxxxxxxxx> wrote:
TonyLambregts wrote:
> Well Bugzilla is actually CGI not PHP... Whatever... The thing is we should have a unified login for all our sites. We currently have 4 sites that a user can log into. They are:
>
> Bugs (http://bugs.winehq.org): server at CodeVWeavers using CGI and MySql login by email
> AppDb (http://appdb.winehq.org): server at CodeWeavers using PHP and MySql login by email.
> Wiki (http://wiki.winehq.org): server at Lattica using python login by user name.
> Forum (http://forum.winehq.org): server at CodeWeavers using PHP and ??? login by user name
>
> Bugzilla has the ability to use LDAP already. and extending it to the others would be the way to go IMO.
>
> We have come a long way in integrating the AppDB and Bugzilla. Integrating the logins would be a huge advantage for application maintainers as well as administrators.
>
> This is not really and original thought since it has been around since 2002. see bug 560 (http://bugs.winehq.org/show_bug.cgi?id=560)
>
>
>
No. If one account gets compromised, you are basically up a tree. I'm
a maintainer in the AppDb. If my login was compromised, someone with
malicious intent could make my life miserable for a while. I'd have a
mess to clean up...
You're fear is unjustified, as you're implying the appdb is inherently
more secure than the 3 other sites (which I have a feeling you can't
justify). You worry that if the logins are unified, your appdb login
will be compromised. As it stands, do you really think the appdb on
its own is bullet-proof, thus you don't worry about that account being
compromised?
James:
No I am not stating that the AppDB is more secure than any of the other
sites. What I am saying is that the four sites have different logins
and that is how they should stay. If my AppDb information is
compromised, you cannot get into Bugzilla (I don't even use the same
login name for the two sites). If we unify them, then you can and
definitely 'wreck havoc'. If you all are really interested, I can go
into more detail as to why you don't want unified logins, and it has to
do with levels of security that most folks do not deal with. I'm not
going to bore or rant about that here in the mailing list. The bottom
line (as they state in business): Don't use the same login and/or
password for more than a single web site. Since the AppDb and Bugzilla
are technically two different web sites, then that policy should apply.
Never give up security for the appearance of ease of use.
James McKenzie
