diff options
Diffstat (limited to 'zarb-ml/mageia-sysadm/2011-February/002693.html')
| -rw-r--r-- | zarb-ml/mageia-sysadm/2011-February/002693.html | 159 |
1 files changed, 159 insertions, 0 deletions
diff --git a/zarb-ml/mageia-sysadm/2011-February/002693.html b/zarb-ml/mageia-sysadm/2011-February/002693.html new file mode 100644 index 000000000..06832a981 --- /dev/null +++ b/zarb-ml/mageia-sysadm/2011-February/002693.html @@ -0,0 +1,159 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-sysadm] Login blacklist on identity + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Login%20blacklist%20on%20identity&In-Reply-To=%3C1297353122.21676.51.camel%40akroma.ephaone.org%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="002692.html"> + <LINK REL="Next" HREF="002681.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-sysadm] Login blacklist on identity</H1> + <B>Michael Scherer</B> + <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Login%20blacklist%20on%20identity&In-Reply-To=%3C1297353122.21676.51.camel%40akroma.ephaone.org%3E" + TITLE="[Mageia-sysadm] Login blacklist on identity">misc at zarb.org + </A><BR> + <I>Thu Feb 10 16:52:02 CET 2011</I> + <P><UL> + <LI>Previous message: <A HREF="002692.html">[Mageia-sysadm] Login blacklist on identity +</A></li> + <LI>Next message: <A HREF="002681.html">[Mageia-sysadm] Login blacklist on identity +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#2693">[ date ]</a> + <a href="thread.html#2693">[ thread ]</a> + <a href="subject.html#2693">[ subject ]</a> + <a href="author.html#2693">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>Le jeudi 10 février 2011 à 16:35 +0200, Anssi Hannula a écrit : +><i> On 10.02.2011 16:28, Michael Scherer wrote: +</I>><i> > Hi, +</I>><i> > +</I>><i> > While thinking about setting email alias, I realized that if we are +</I>><i> > gonna offer alias to various people, we should maybe forbid certain +</I>><i> > login to be registered, like press, contact, president so they do not +</I>><i> > clash in the future. +</I>><i> > +</I>><i> > Is there anything to add on that list : +</I>><i> > contact -> already used on the current website +</I>><i> > press -> the same +</I>><i> > +</I>><i> > president -> could be nice to have +</I>><i> > secretary -> ditto +</I>><i> > treasurer -> ditto +</I>><i> > +</I>><i> > security ? +</I>><i> > +</I>><i> > The goal is not to be exhaustive just to prevent stuff that are easy to +</I>><i> > avoid. The goal of the blacklist is not to implement policy for naming +</I>><i> > besides obvious clash. IE, I think we should not add sarkozysux/rox or +</I>><i> > stuff like that, because this is a never ending task. +</I>><i> > +</I>><i> > And for obvious reasons I prefer to keep the list as small as possible +</I>><i> > for a start ( and so only for thing when they are in practice used ), +</I>><i> > and later let it grow. +</I>><i> +</I>><i> Well, I'm not sure what benefit would such a partial list have? +</I>><i> +</I>><i> I mean, don't all email aliases require some approval anyway? So that we +</I>><i> could simply refuse ambigious addresses on a case-by-case basis. +</I> +Let imagine how it would go : + +Some person is registering on the forum so it use catdap, with the name +apache. apache is blocked right now, but imagine it is not. It work +fine, he use his real name on the forum, and while apache may be +suspicious to moderator, that would not be so weird. He also post +bugzilla, etc. + +Later, this person become active on design team. She subscribe to the +ml, using his email, and after lots of work, she become a peer in the +group, and so the design team grant a email alias as well as access to +some services ( let's imagine we also offer web space for sharing +design ). + +First issue happen, this person receive lots of spam, because apache@ is +a well know tried email. Annoying, but nothing weird. + +Second issue, the permission are messed up on the web host. Slightly +more annoying. Write access to everything where only the webserver +should have, etc. + +Becoming peer will either be handled by sysadmins, or be delegated ( i +speak of the technical change , not the decision to do it that would be +delegated ). +If we choose the delegation, either the design team is also fully avare +of the infrastructure and warn sysadmin, or they are not and just do it. +While I have no doubt our design team is gifted, I doubt they will be +this gifted to detect something wrong. + +If we choose the migration by a sysadmin, the sysadmin will likely see +something weird, and react. But this show 2 problem : +- sysadmins will become a bottleneck, and that's bad. + +- what to do to react ? + +Changing login can be done on ldap without too much trouble. +But then the login is out of sync on the rest of the softwares +( bugzilla, forum, etc ), with all the fun of a manual migration ( ie +sql query on production database ). As we agreed for practical reason to +have a unmutable login unless we can avoid it ( see the whole thread +starting at +<A HREF="https://www.mageia.org/pipermail/mageia-sysadm/2010-November/000897.html">https://www.mageia.org/pipermail/mageia-sysadm/2010-November/000897.html</A> ), the whole system is engineered around this ( not that we engineered much, as most software on the planet is based on this assumption ) + + +None alternative seems appealing to me. So trying to reduce such work + + +><i> Related thing I wonder is if we should enforce an email alias format +</I>><i> (like firstname.lastname@ or somesuch) or not. +</I> +It should be $login@ as the login is guaranteed to be unique, while +firstname.lastname is not unique ( seeks michael scherer opensuse to +see ), and can be changed ( people who marry, etc etc ). +Not to mention that not everybody want to use his real name for +contributing ( and I have at least 3 exemples from the current ldap +directory ). + +-- +Michael Scherer + +</PRE> + + + + + + + + + + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="002692.html">[Mageia-sysadm] Login blacklist on identity +</A></li> + <LI>Next message: <A HREF="002681.html">[Mageia-sysadm] Login blacklist on identity +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#2693">[ date ]</a> + <a href="thread.html#2693">[ thread ]</a> + <a href="subject.html#2693">[ subject ]</a> + <a href="author.html#2693">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm +mailing list</a><br> +</body></html> |