Carlos E. R. (carlos.e.r@opensuse.org) wrote:
El 2014-02-11 a las 15:02 -0500, Felix Miata escribió:
Lack of login persistence bothers me most.
It is intentional, so it is not going to change.
According to https://bugzilla.novell.com/show_bug.cgi?id=776191#c11 (again unfortunately internal-only) the possibility of fixing it has not been ruled out.
The system uses a very secure authentication system commercialized (I think) by Novel (Access Manager from NetIQ), different from Bugzilla own system (whatever that is). And it is the same system used on all "our" sites, so that the same login works on Bugzilla and the forums and many other places.
It has to be secure because it is also used by Novell with their other products and paying customers. That's why there is no login persistence. Security.
What do you mean by "login persistence" exactly? I think part of the problem is that there is some ambiguity around what we are talking about. I have attempted to clarify that here: https://bugzilla.novell.com/show_bug.cgi?id=753203#c3
And it has serious advantages.
Recently, the forums were hacked. A photo of the emails and password was published to prove they got inside. But the passwords they got were not the real passwords, they were fakes. The real passwords were handled behind, on a different machine and service they could not even get close to. So the hundred of thousands of users did not have to change their passwords.
https://news.opensuse.org/2014/01/07/opensuse-forums-defaced/ <http://thehackernews.com/2014/01/openSUSE-Forum-Hacked-by-Pakistani-hacker.h... >
Previously, the Ubuntu forums were attacked, and there they did got the real passwords. You can find the email threads at the opensuse mail list:
13-07-23 15:46 Basil Chupin (5165) . [opensuse] Ubuntu Forum hacked 14-01-08 09:37 Michael Hamilton (4804) . [opensuse] forums.opensuse.org down?
That's true, but it's not directly relevant. Noone's requesting that Access Manager should be removed from bugzilla. What I would like is for bugzilla to offer a login-time checkbox entitled "I am using a secure computer", and this would increase the login session timeout from O(hours) to O(days). This seems like a reasonable trade-off between security and convenience, and it also happens to be standard practice industry-wide. -- To unsubscribe, e-mail: opensuse-web+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-web+owner@opensuse.org