On Oct 9, 2007, at 8:45 AM, Gerhard Killesreiter wrote:
The question is: do we want to? People are using the password to our site on some potentially insecure sites.
Agreed.
I think it is desirable for d.o to stop using drupal.module as soon as feasible.
Agreed.
Read: As soon as g.d.o has fixed the issue. We should be able to add missing email address by doing some syncronizing between d.o and g.d.o's databases.
Depending on the timing of it, I think this might be too aggressive. We've gone N years with this security problem, another month won't kill anyone. I think we need a front page post about it with a specific deadline at which @drupal.org logins on other sites will no longer work. I think we should give people at least a month to transition, upgrade, whatever they have to do. Plus, we should attempt to have d.o as an OpenID provider ASAP (which doesn't require putting the OpenID server code in core for D6, mind you), ideally as part of the info in that front page post, encouraging people to use that instead... Cheers, -Derek