On Fri, 06 Sep 2013 14:53:00 -0400, Donald Stufft <donald@stufft.io> wrote:
On Sep 6, 2013, at 1:22 PM, Dan Callahan <dcallahan@mozilla.com> wrote:
On 9/5/13 12:31 PM, Jesus Cea wrote:
I have big hopes for Mozilla Persona, looking forward Python infrastructure support :).
Hi, I'm the project lead on Persona signin, and I spoke at PyCon earlier this year regarding why and how Mozilla is building Persona. If you'd like some more background, that video [0] is worth a look.
Let's pull this discussion up a level:
It sounds like many people (Jesus, Donald, Toshio, Barry, Tres, Dirkjan, etc.) are interested in seeing Persona on Python.org properties, and most of the objections coming from a place of "Persona hasn't gone viral, what if this is wasted effort?"
We can tackle that from two angles:
1. Dirkjan and I are willing to do the work to make this happen if someone from python-devel is willing to guide us through the contributor process for these systems.
Thanks. I'm one of the people with admin access to the bug tracker (I haven't done much maint lately, though, Ezio has done the most). There is information on setting up a replica of our production system here: https://wiki.python.org/moin/TrackerDevelopment If you want to start hacking on a solution, the first step would be to spin up a test setup. If you propose a patch, either I or Ezio should be able to find the time to review and apply it, if you also commit to maintaining it ;) Tracker specific discussion happens on the tracker-discuss mailing list, by the way (very low traffic).
2. There's a seamless migration path away from Persona if we fail: fall back to the pre-existing traditional email/password system using the same email addresses that Persona had previously been in charge of verifying.
Roundup uses database-derived numeric IDs. An email is associated with each account, but does not participate in authentication or authorization after initial signup. (Except for the email interface...but that is a separate story and you shouldn't need to address that).
So let's do this. The open web deserves better than just Google+, Facebook, or Passwords, and visible support from the Python community would be a huge step toward answering the chicken-and-egg objections raised in this thread.
At your service, -Callahad
PS: Freeform OpenID has utterly failed as a user-empowering authentication system, and the protocol itself is rapidly being supplanted by vendor-specific OAuth[1] systems. If we want to ensure that "you *can* (not *must*) use free and open services to access our resources," then we must provide an option to use something akin to Persona.
IMO, single signon is overrated. Especially if one prefers not to make it easy for various accounts to be automatically associated with one another by various entities who shall remain nameless but have been in the news a lot lately :) --David