Core drupal.module moved to contrib site_network.module
Hello World, After discussions about the state of Drupal module, it turned out that: - drupal module does two things: phone home to a central server and distributed authentication - drupal.org does not collect any information submitted with drupal.module, so the phone home has no reason to live in Drupal itself - Drupal 6 is going to ship with OpenID which is much more secure, so there is no requirement to keep shipping Drupal module with Drupal (but it should be made available for users looking for an upgrade path) - Drupal module was misnamed, its namespace collides with built-in system level functions So after looking at all this, it was decided that Drupal module needs to go out of core. At http://drupal.org/node/178768 we discussed the future and suggested names. Because all features are kept for now, the new name is site_network. Anyone looking for this functionality will find the project at http://drupal.org/project/site_network from now. Andy Kirkham (aka AjK) volunteered to maintain the module and moved the existing drupal.module issues to the new project. All-in-all I hope this improves the privacy (no useless phone-home feature to explain) and security (no password tunneling) of Drupal 6. Gabor
On 8-Oct-07, at 10:59 AM, Gábor Hojtsy wrote:
- Drupal 6 is going to ship with OpenID which is much more secure, so there is no requirement to keep shipping Drupal module with Drupal (but it should be made available for users looking for an upgrade path)
I'm obviously all in favor of this move... but how do we best document that old distauth logins will no longer work until the contrib module is installed? -- James Walker :: http://walkah.net/ :: xmpp:walkah@walkah.net
Is drupal.org going to use it? On 10/8/07, Gábor Hojtsy <gabor@hojtsy.hu> wrote:
Hello World,
After discussions about the state of Drupal module, it turned out that:
- drupal module does two things: phone home to a central server and distributed authentication - drupal.org does not collect any information submitted with drupal.module, so the phone home has no reason to live in Drupal itself - Drupal 6 is going to ship with OpenID which is much more secure, so there is no requirement to keep shipping Drupal module with Drupal (but it should be made available for users looking for an upgrade path) - Drupal module was misnamed, its namespace collides with built-in system level functions
So after looking at all this, it was decided that Drupal module needs to go out of core. At http://drupal.org/node/178768 we discussed the future and suggested names. Because all features are kept for now, the new name is site_network. Anyone looking for this functionality will find the project at http://drupal.org/project/site_network from now. Andy Kirkham (aka AjK) volunteered to maintain the module and moved the existing drupal.module issues to the new project.
All-in-all I hope this improves the privacy (no useless phone-home feature to explain) and security (no password tunneling) of Drupal 6.
Gabor
CHANGELOG.txt or someone could port the openID server to D6 and we'll have a great story to tell these upgraders. interested parties should see the 4.7 version at http://cvs.drupal.org/viewvc.py/drupal/contributions/modules/openid/?pathrev.... james - any progress since then? On 10/8/07, Dmitri G <dmitrig01@gmail.com> wrote:
Is drupal.org going to use it?
On 10/8/07, Gábor Hojtsy <gabor@hojtsy.hu> wrote:
Hello World,
After discussions about the state of Drupal module, it turned out that:
- drupal module does two things: phone home to a central server and distributed authentication - drupal.org does not collect any information submitted with drupal.module, so the phone home has no reason to live in Drupal itself - Drupal 6 is going to ship with OpenID which is much more secure, so there is no requirement to keep shipping Drupal module with Drupal (but it should be made available for users looking for an upgrade path) - Drupal module was misnamed, its namespace collides with built-in system level functions
So after looking at all this, it was decided that Drupal module needs to go out of core. At http://drupal.org/node/178768 we discussed the future and suggested names. Because all features are kept for now, the new name is site_network. Anyone looking for this functionality will find the project at http://drupal.org/project/site_network from now. Andy Kirkham (aka AjK) volunteered to maintain the module and moved the existing drupal.module issues to the new project.
All-in-all I hope this improves the privacy (no useless phone-home feature to explain) and security (no password tunneling) of Drupal 6.
Gabor
I think the issue is that once d.o moves to D6, sites that use the drupal module will stop working unless we do something we don't have today (maintain backward compatibility) or document that this is no longer a service (auth against d.o). How do we communicate with sites that are still running the drupal module on older versions? No practical way except an advance announcement on the front page. Even if we make openid work on 4.7, there is still the gap in communicating that to the sites. Perhaps we can add some code on d.o today to check where the logins are coming from and contact those sites?
I would recommend leaving the module formerly known as drupal and now represented by this contrib on drupal.org for a little while, but retiring it eventually after notice has been given. At most until Drupal 7 ships, possibly less than that. A lot of blogs (like mine) allow drupal.org logins, and it will be a while before g.d.o users who are using @drupal.org accounts get around to switching to OpenID. (I intend to, but there will need to be an overlap period.) Actually, I'm not even sure what would happen to @drupal.org accounts on g.d.o or blogs if drupal.org just switched off drupal.module. Would they still be accessible somehow? On Monday 08 October 2007, Khalid Baheyeldin wrote:
I think the issue is that once d.o moves to D6, sites that use the drupal module will stop working unless we do something we don't have today (maintain backward compatibility) or document that this is no longer a service (auth against d.o).
How do we communicate with sites that are still running the drupal module on older versions? No practical way except an advance announcement on the front page.
Even if we make openid work on 4.7, there is still the gap in communicating that to the sites. Perhaps we can add some code on d.o today to check where the logins are coming from and contact those sites?
-- Larry Garfield AIM: LOLG42 larry@garfieldtech.com ICQ: 6817012 "If nature has made any one thing less susceptible than all others of exclusive property, it is the action of the thinking power called an idea, which an individual may exclusively possess as long as he keeps it to himself; but the moment it is divulged, it forces itself into the possession of every one, and the receiver cannot dispossess himself of it." -- Thomas Jefferson
On 8-Oct-07, at 11:53 PM, Larry Garfield wrote:
Actually, I'm not even sure what would happen to @drupal.org accounts on g.d.o or blogs if drupal.org just switched off drupal.module. Would they still be accessible somehow?
You can do 'reset password' - but chances are good you never edited your account to set a proper email address - and thus will never actually receive a new password. IIRC, you won't actually receive notification to that effect. So, a site admin (moshe?) will have to enter your email address and set a new password for you. This is what I'm talkin' about :P -- James Walker :: http://walkah.net/ :: xmpp:walkah@walkah.net
Actually, I'm not even sure what would happen to @drupal.org accounts on g.d.o or blogs if drupal.org just switched off drupal.module. Would they still be accessible somehow?
That was one of my first thoughts either. I first thought, most the sites running drupal.module are experimental / for demonstration purposes. However, g.d.o is an example for a rather big site using it. sun
I've been able to use @drupal.org on quite a few other sites too, so I think it'd be a good idea to focus some efforts on making this backwards compatible. Daniel F. Kudwien wrote:
Actually, I'm not even sure what would happen to @drupal.org accounts on g.d.o or blogs if drupal.org just switched off drupal.module. Would they still be accessible somehow?
That was one of my first thoughts either. I first thought, most the sites running drupal.module are experimental / for demonstration purposes. However, g.d.o is an example for a rather big site using it.
sun
-- Sean Robertson Web Developer NGP Software, Inc. seanr@ngpsoftware.com (202) 686-9330 http://www.ngpsoftware.com
On 10/9/07, Sean Robertson <seanr@ngpsoftware.com> wrote:
I've been able to use @drupal.org on quite a few other sites too, so I think it'd be a good idea to focus some efforts on making this backwards compatible.
I think we can probably enable a special openid_drupal module that dereferences username@drupal.org (or configurable, username@example.com) for backwards compatibility. Anyone want to look at what it would take for this? James, if you are working on code, please check in interim changes so we don't duplicate efforts. -- Boris Mann Office 604-682-2889 Skype borismann http://www.bryght.com
On 9-Oct-07, at 11:03 AM, Boris Mann wrote:
On 10/9/07, Sean Robertson <seanr@ngpsoftware.com> wrote:
I've been able to use @drupal.org on quite a few other sites too, so I think it'd be a good idea to focus some efforts on making this backwards compatible.
I think we can probably enable a special openid_drupal module that dereferences username@drupal.org (or configurable, username@example.com) for backwards compatibility. Anyone want to look at what it would take for this?
IMO, this is wasted effort... and doesn't actually fix anything. There isn't really 'backwards compatibility' here... we *want* people to get out of the habit of entering their d.o (or other) username & password around on the web. We have a backwards compatible offering - in contrib - the point here is is that - as goba has pointed out - there needs to be the authname tweak in the upgrade path (not a big effort)... but my initial point was really more a 'marketing' issue: Lest we are prepared for the onslaught of OMFG I CNA'T LOG IN DRUPAL SUXX tickets - we should be pretty clear about the change in release notes, etc etc - and have a policy what to do in *.d.o in the change over. I'm much more inclined - and have said in the past - that we opt for a changeover period while both old style and openid are available with a clear, publicized EOL for the former.
James, if you are working on code, please check in interim changes so we don't duplicate efforts.
hrm? -- James Walker :: http://walkah.net/ :: xmpp:walkah@walkah.net
Quoting James Walker <walkah@walkah.net>:
On 9-Oct-07, at 11:03 AM, Boris Mann wrote:
On 10/9/07, Sean Robertson <seanr@ngpsoftware.com> wrote:
I've been able to use @drupal.org on quite a few other sites too, so I think it'd be a good idea to focus some efforts on making this backwards compatible.
I think we can probably enable a special openid_drupal module that dereferences username@drupal.org (or configurable, username@example.com) for backwards compatibility. Anyone want to look at what it would take for this?
IMO, this is wasted effort... and doesn't actually fix anything. There isn't really 'backwards compatibility' here... we *want* people to get out of the habit of entering their d.o (or other) username & password around on the web.
Let the foo@example.com be the username. I.E. allow the use of @ in the username without treating it special. This might require a password reset but the user can request that himself. Feasible? Earnie -- http://for-my-kids.com/ -- http://give-me-an-offer.com/
Let the foo@example.com be the username. I.E. allow the use of @ in the username without treating it special. This might require a password reset but the user can request that himself. Feasible?
Contrib already has a number of modules that control what various sites want to see as the userid. In general the whole web has mixed opinions on whether one should use their email address, a screen name, a real name or allow people to use any of the above. Going to OpenID introduces another possibility, for example I am yktdan.pip.verisignlabs.com as well as yktdan@drupal.org (and lots of other places).
I think this already works in D5 (and I assume D6). I just temporarily changed my g.d.o username to pwolanin@test.org and it works fine. -Peter On 10/10/07, Earnie Boyd <earnie@users.sourceforge.net> wrote:
Let the foo@example.com be the username. I.E. allow the use of @ in the username without treating it special. This might require a password reset but the user can request that himself. Feasible?
Earnie -- http://for-my-kids.com/ -- http://give-me-an-offer.com/
Quoting Peter Wolanin <pwolanin@gmail.com>:
I think this already works in D5 (and I assume D6). I just temporarily changed my g.d.o username to pwolanin@test.org and it works fine.
Thanks for being my tester :/ I should have tried it myself. So it is feasible that if g.d.o deactivated the drupal module that the registered users would still authenticate and no extra work is required. Earnie -- http://for-my-kids.com/ -- http://give-me-an-offer.com/
On 10/10/07, Earnie Boyd <earnie@users.sourceforge.net> wrote:
Quoting Peter Wolanin <pwolanin@gmail.com>:
I think this already works in D5 (and I assume D6). I just temporarily changed my g.d.o username to pwolanin@test.org and it works fine.
Thanks for being my tester :/ I should have tried it myself. So it is feasible that if g.d.o deactivated the drupal module that the registered users would still authenticate and no extra work is required.
Earnie -- http://for-my-kids.com/
Authenticate yes. But they will need to remember their password and if they have not set an email address on their account then they will be unable to access it. Also, as some people screw up, there is some account duplication on drupal.org itself i.e. jdoe and jdoe@drupal.org. Email addresses have to be unique so we will probably encounter some issues there as well so announcements should contain a notice for people to check and input email addresses. Steven Peck
On 10/9/07, Sean Robertson <seanr@ngpsoftware.com> wrote:
I've been able to use @drupal.org on quite a few other sites too, so I think it'd be a good idea to focus some efforts on making this backwards compatible.
As far as I see, site_network module only needs an update function to look for drupal module auth maps in the authmap table and update those setting site_network as the auth handler. ie: UPDATE {authmap} SET module = 'site_network' WHERE module = 'drupal'; Gabor
On 9-Oct-07, at 11:11 AM, Gábor Hojtsy wrote:
On 10/9/07, Sean Robertson <seanr@ngpsoftware.com> wrote:
I've been able to use @drupal.org on quite a few other sites too, so I think it'd be a good idea to focus some efforts on making this backwards compatible.
As far as I see, site_network module only needs an update function to look for drupal module auth maps in the authmap table and update those setting site_network as the auth handler. ie:
UPDATE {authmap} SET module = 'site_network' WHERE module = 'drupal';
exactly, and we need to make it clear that site_network needs to be installed.
On Oct 9, 2007, at 6:52 AM, Sean Robertson wrote:
I've been able to use @drupal.org on quite a few other sites too, so I think it'd be a good idea to focus some efforts on making this backwards compatible.
Apparently few people read the issue: http://drupal.org/node/178768 Or they would have seen Moshe's comment #22 there: http://drupal.org/node/178768#comment-317538 "I strongly recommend that drupal.org continue to run this module. Many many people on groups.drupal.org use login via [distributed authentication] to drupal.org and [t]hey will all be shut out if we stop running this module. There are lots of other sites like this too." Even if it's no longer in core, a) drupal.org itself can continue to run it for as long as we want and b) other sites that rely on it can run it too. It just means it's no longer a default part of Drupal core for D6 and beyond. That said, we *should* have a transition plan to get people off the legacy distributed authentication scheme, turn d.o into an OpenID provider, and get everyone using that. But that doesn't mean we should either make the new site_network contrib "backwards compatible" (that's *all* it is) ;) nor that we should add "backwards compatible" distributed authentication code to our OpenID support (which would be a colossal mistake). In fact, this transition plan probably requires more marketing and education than code, though some kind of tool to help migrate users might make this go more smoothly. Cheers, -Derek
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Derek Wright schrieb:
On Oct 9, 2007, at 6:52 AM, Sean Robertson wrote:
I've been able to use @drupal.org on quite a few other sites too, so I think it'd be a good idea to focus some efforts on making this backwards compatible.
Apparently few people read the issue:
Or they would have seen Moshe's comment #22 there:
http://drupal.org/node/178768#comment-317538
"I strongly recommend that drupal.org continue to run this module. Many many people on groups.drupal.org use login via [distributed authentication] to drupal.org and [t]hey will all be shut out if we stop running this module. There are lots of other sites like this too."
Even if it's no longer in core, a) drupal.org itself can continue to run it for as long as we want
The question is: do we want to? People are using the password to our site on some potentially insecure sites. I think it is desirable for d.o to stop using drupal.module as soon as feasible. Read: As soon as g.d.o has fixed the issue. We should be able to add missing email address by doing some syncronizing between d.o and g.d.o's databases. Cheers, Gerhard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHC6IUfg6TFvELooQRAsXKAJ99/cz08jgeri5SonVHGd9i6HjSWQCgl9gH 8P+N4F78WLHj3YK9Yu5Ehho= =BnJG -----END PGP SIGNATURE-----
Gerhard Killesreiter wrote:
I think it is desirable for d.o to stop using drupal.module as soon as feasible. Read: As soon as g.d.o has fixed the issue. We should be able to add missing email address by doing some syncronizing between d.o and g.d.o's databases.
Not just g.d.o, because I used my @d.o on association.d.o, too.
On Oct 9, 2007, at 8:45 AM, Gerhard Killesreiter wrote:
The question is: do we want to? People are using the password to our site on some potentially insecure sites.
Agreed.
I think it is desirable for d.o to stop using drupal.module as soon as feasible.
Agreed.
Read: As soon as g.d.o has fixed the issue. We should be able to add missing email address by doing some syncronizing between d.o and g.d.o's databases.
Depending on the timing of it, I think this might be too aggressive. We've gone N years with this security problem, another month won't kill anyone. I think we need a front page post about it with a specific deadline at which @drupal.org logins on other sites will no longer work. I think we should give people at least a month to transition, upgrade, whatever they have to do. Plus, we should attempt to have d.o as an OpenID provider ASAP (which doesn't require putting the OpenID server code in core for D6, mind you), ideally as part of the info in that front page post, encouraging people to use that instead... Cheers, -Derek
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Derek Wright schrieb:
On Oct 9, 2007, at 8:45 AM, Gerhard Killesreiter wrote:
The question is: do we want to? People are using the password to our site on some potentially insecure sites.
Agreed.
I think it is desirable for d.o to stop using drupal.module as soon as feasible.
Agreed.
Read: As soon as g.d.o has fixed the issue. We should be able to add missing email address by doing some syncronizing between d.o and g.d.o's databases.
Depending on the timing of it, I think this might be too aggressive. We've gone N years with this security problem, another month won't kill anyone.
Yeah, I guess.
I think we need a front page post about it with a specific deadline at which @drupal.org logins on other sites will no longer work. I think we should give people at least a month to transition, upgrade, whatever they have to do. Plus, we should attempt to have d.o as an OpenID provider ASAP (which doesn't require putting the OpenID server code in core for D6, mind you), ideally as part of the info in that front page post, encouraging people to use that instead...
There are people who want to work on an open ID server for d.o. I propose that we end support for drupal.module-type logins either last of december or whenever that server is there. Whatever comes first. Cheers, Gerhard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHC7szfg6TFvELooQRAhVBAJ9uD5AYDyBgC1M+63WvHwVYKwnqWQCZAYmH /GP/txF3fORcZufeF/ARR+M= =dEeP -----END PGP SIGNATURE-----
On 10/9/07, Gerhard Killesreiter <gerhard@killesreiter.de> wrote:
I think we need a front page post about it with a specific deadline at which @drupal.org logins on other sites will no longer work. I think we should give people at least a month to transition, upgrade, whatever they have to do. Plus, we should attempt to have d.o as an OpenID provider ASAP (which doesn't require putting the OpenID server code in core for D6, mind you), ideally as part of the info in that front page post, encouraging people to use that instead...
There are people who want to work on an open ID server for d.o. I propose that we end support for drupal.module-type logins either last of december or whenever that server is there. Whatever comes first.
James Walker, as part of his Community Ambassador duties for the Association, has agreed to take on the task of making a plan / proposal for this. Please contact James Walker or myself to get involved. Or just start porting / testing the OpenID Server code using the issue queue if you wanna just go ahead and code..... My suggestion about "backwards compatability" would be only having to enter your d.o. username -- everything else would still continue with OpenID authentication ... yes to marketing and education :P -- Boris Mann Office 604-682-2889 Skype borismann http://www.bryght.com
On 9-Oct-07, at 3:59 PM, Boris Mann wrote:
On 10/9/07, Gerhard Killesreiter <gerhard@killesreiter.de> wrote:
I think we need a front page post about it with a specific deadline at which @drupal.org logins on other sites will no longer work. I think we should give people at least a month to transition, upgrade, whatever they have to do. Plus, we should attempt to have d.o as an OpenID provider ASAP (which doesn't require putting the OpenID server code in core for D6, mind you), ideally as part of the info in that front page post, encouraging people to use that instead...
There are people who want to work on an open ID server for d.o. I propose that we end support for drupal.module-type logins either last of december or whenever that server is there. Whatever comes first.
James Walker, as part of his Community Ambassador duties for the Association, has agreed to take on the task of making a plan / proposal for this. Please contact James Walker or myself to get involved. Or just start porting / testing the OpenID Server code using the issue queue if you wanna just go ahead and code.....
Yes, I'll be writing more of this up this week(ish) ... but if you're interested in potentially being involved, by all means ping me. If you wanna write code, we can maybe do a bit better than just thrashing away at what's there. -- James Walker :: http://walkah.net/ :: xmpp:walkah@walkah.net
Perhaps I'm misunderstanding - I thought once I use the Drupal model to log into a site a local account is created? Thus, the only issue is whether users have properly set an e-mail address? -Peter On 10/9/07, Gerhard Killesreiter <gerhard@killesreiter.de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Derek Wright schrieb:
On Oct 9, 2007, at 6:52 AM, Sean Robertson wrote:
I've been able to use @drupal.org on quite a few other sites too, so I think it'd be a good idea to focus some efforts on making this backwards compatible.
Apparently few people read the issue:
Or they would have seen Moshe's comment #22 there:
http://drupal.org/node/178768#comment-317538
"I strongly recommend that drupal.org continue to run this module. Many many people on groups.drupal.org use login via [distributed authentication] to drupal.org and [t]hey will all be shut out if we stop running this module. There are lots of other sites like this too."
Even if it's no longer in core, a) drupal.org itself can continue to run it for as long as we want
The question is: do we want to? People are using the password to our site on some potentially insecure sites.
I think it is desirable for d.o to stop using drupal.module as soon as feasible. Read: As soon as g.d.o has fixed the issue. We should be able to add missing email address by doing some syncronizing between d.o and g.d.o's databases.
Cheers, Gerhard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHC6IUfg6TFvELooQRAsXKAJ99/cz08jgeri5SonVHGd9i6HjSWQCgl9gH 8P+N4F78WLHj3YK9Yu5Ehho= =BnJG -----END PGP SIGNATURE-----
OpenID is not 'backwards compatible' with the old system - the bottom line is people's logins will no longer work. Yes OpenID provider works is progressing, slowly as I've had some distractions, but I'm hoping to push a beta out around 6's launch. It doesn't actually address the situation, though. On 8-Oct-07, at 11:20 PM, Moshe Weitzman wrote:
CHANGELOG.txt
or someone could port the openID server to D6 and we'll have a great story to tell these upgraders. interested parties should see the 4.7 version at http://cvs.drupal.org/viewvc.py/drupal/contributions/ modules/openid/?pathrev=DRUPAL-4-7--2. james - any progress since then?
On 10/8/07, Dmitri G <dmitrig01@gmail.com> wrote:
Is drupal.org going to use it?
On 10/8/07, Gábor Hojtsy <gabor@hojtsy.hu> wrote:
Hello World,
After discussions about the state of Drupal module, it turned out that:
- drupal module does two things: phone home to a central server and distributed authentication - drupal.org does not collect any information submitted with drupal.module, so the phone home has no reason to live in Drupal itself - Drupal 6 is going to ship with OpenID which is much more secure, so there is no requirement to keep shipping Drupal module with Drupal (but it should be made available for users looking for an upgrade path) - Drupal module was misnamed, its namespace collides with built-in system level functions
So after looking at all this, it was decided that Drupal module needs to go out of core. At http://drupal.org/node/178768 we discussed the future and suggested names. Because all features are kept for now, the new name is site_network. Anyone looking for this functionality will find the project at http://drupal.org/project/site_network from now. Andy Kirkham (aka AjK) volunteered to maintain the module and moved the existing drupal.module issues to the new project.
All-in-all I hope this improves the privacy (no useless phone-home feature to explain) and security (no password tunneling) of Drupal 6.
Gabor
-- James Walker :: http://walkah.net/ :: xmpp:walkah@walkah.net
participants (16)
-
Boris Mann -
Daniel F. Kudwien -
David Norman -
Derek Wright -
Dmitri G -
Earnie Boyd -
Gerhard Killesreiter -
Gábor Hojtsy -
James Walker -
Khalid Baheyeldin -
Larry Garfield -
Moshe Weitzman -
Peter Wolanin -
Sean Robertson -
Steven Peck -
Walt Daniels