Good Morning, I am CC'ing the board, since we have a disagreement here and the possible consequences for the entire project. For the board, we do discuss the successor of the existing identity management system used for SUSE and openSUSE services. The system hosted by MF-IT will be shut down next month and SUSE will move their data to a system currently build up by eng-infra team. Indepdend of that Stasiek has built up an alternative solution inside the openSUSE-heroes network. On Mittwoch, 29. April 2020, 05:06:18 CEST wrote Stasiek Michalski:
On Tue, Apr 28, 2020 at 18:56, Stasiek Michalski <hellcp@opensuse.org> wrote:
On Tue, Apr 28, 2020 at 07:48, Adrian Schröter <adrian@suse.de> wrote:
Sorry, but we won't use these for OBS and bugzilla at least. This because I do not really invest in syncing accounts also with our other systems (including also our internal build service).
(I wrote some more reasons here, repeating below)
Discussions on OBS's support of any other technologies should happen in https://github.com/openSUSE/open-build-service/issues/9122, we reported
You can discuss here if something should be implemented, but this is independ of the questions what we will use on our production instance.
this as soon as we started with a realization that OBS will be the only problematic piece of software, since only it doesn't support what is required.
Here, as a sidenote, we could also use mod_auth_gssapi [1] with form intercept [2], but I don't think we should treat that as a long term solution, since that makes OBS ignore the SSO functionality entirely.
We do *NOT* speak about technical implementation details here atm. The big topic are the legal, trust and policy changes here. You basically ask for root access on every user installation which uses any repository from OBS. And you ask for access to content SUSE gets only under hard NDA's. Also legal would need to clarify if openSUSE would still be the same legal entity for this data as before and if a duplication is acceptable (because this is personal data which is under DSGVO regulations). In short this most likely violates a number of contracts, certifications and law's. The consequences of this are that we most likely need to revoke GPG keys, setup another instance of OBS and bugzilla, move content over, inform users public and individually and ask for permission to import their data into your new system. But these are just the problems on first glance, I am sure there is more. Therefore I do not want to discuss this atm on short notice, but postone it to a later point. Instead sticking to the solution from eng-infra to avoid that we need to shutown OBS, bugzilla and possibly also further openSUSE infrastructure in next weeks. We can later on discuss it without the time pressure. And include also the goals for the entire project and all stakeholders into this. Furthermore it is my private opinion that we should not confuse openSUSE users by the launch of two independ account systems at the same time. Instead we should aim for the opposite, allowing the usage of external accounts (like Google and friends) optionally to avoid the hurdle of creating an account. Daniel can give you some insight about their system and how it can be used also inside of the heroes network. bye adrian -- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: heroes+unsubscribe@opensuse.org To contact the owner, e-mail: heroes+owner@opensuse.org