-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Derek Wright schrieb:
On Oct 9, 2007, at 8:45 AM, Gerhard Killesreiter wrote:
The question is: do we want to? People are using the password to our site on some potentially insecure sites.
Agreed.
I think it is desirable for d.o to stop using drupal.module as soon as feasible.
Agreed.
Read: As soon as g.d.o has fixed the issue. We should be able to add missing email address by doing some syncronizing between d.o and g.d.o's databases.
Depending on the timing of it, I think this might be too aggressive. We've gone N years with this security problem, another month won't kill anyone.
Yeah, I guess.
I think we need a front page post about it with a specific deadline at which @drupal.org logins on other sites will no longer work. I think we should give people at least a month to transition, upgrade, whatever they have to do. Plus, we should attempt to have d.o as an OpenID provider ASAP (which doesn't require putting the OpenID server code in core for D6, mind you), ideally as part of the info in that front page post, encouraging people to use that instead...
There are people who want to work on an open ID server for d.o. I propose that we end support for drupal.module-type logins either last of december or whenever that server is there. Whatever comes first. Cheers, Gerhard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHC7szfg6TFvELooQRAhVBAJ9uD5AYDyBgC1M+63WvHwVYKwnqWQCZAYmH /GP/txF3fORcZufeF/ARR+M= =dEeP -----END PGP SIGNATURE-----