Requiring GitHub login for actions on Trac

[Aymeric Augustin]

Hello,

If you’re subscribed to django-updates, you may have noticed that some spam is getting through since a few days. This is a negligible percentage of the amount of spam our defenses are fending off (about 4000 / day) but it’s annoying.

We're allowing anonymous bug reports because the process to create and activate a djangoproject.com account is too cumbersome. You must go to www.djangoproject.com, register, get an email, and then go back to Trac and log in.

In order to fix the spam problem while maintaining an easy workflow, I’m proposing to require GitHub auth for all “write” operations: creating a ticket, adding a comment, etc. Most people interested in Trac should have a GitHub account already.

The main downside is that we’re switching to a different set of usernames. If a person doesn’t have the same username on Trac and on GitHub, comments made before and after the switch will appear under different names. However, we already have that problem when people forget to login and it isn’t that bad. We’ll also have to audit usernames of the fifty people who have admin permissions.

As another upside, people won’t have to remember their Trac username and password anymore.

What do you think?

--
Aymeric.

[Tim Graham]

I proposed the idea a couple months ago and got several +1's. The main concern was from Shai, "not quite -1, but a strong -0 on "blessing" any single oAuth provider. GitHub is fine, but so are Google, StackExchange, and even the Evil Empires(TM)."

https://groups.google.com/d/msg/django-developers/g728g23VI2E/whaVBdxSAlYJ

[Carl Meyer]

+1 from me.

I don't see a problem with supporting only GitHub OAuth in this case.
Django is hosted on GitHub, and any code contribution (which is
ultimately what Trac is all about) will happen via GitHub, so it seems
quite natural to me to support GitHub OAuth rather than any other
arbitrary OAuth provider. (Not that I'd be opposed if someone wanted to
add support for other providers, just that I don't think this initiative
should be held up on that basis.)

Carl

On 08/06/2014 03:30 PM, Tim Graham wrote:
> I proposed the idea a couple months ago and got several +1's. The main
> concern was from Shai, "not quite -1, but a strong -0 on "blessing" any
> single oAuth provider. GitHub is fine, but so are Google, StackExchange,
> and even the Evil Empires(TM)."
>
> https://groups.google.com/d/msg/django-developers/g728g23VI2E/whaVBdxSAlYJ
>
> On Wednesday, August 6, 2014 5:18:38 PM UTC-4, Aymeric Augustin wrote:
>
> Hello,
>
> If you’re subscribed to django-updates, you may have noticed that
> some spam is getting through since a few days. This is a negligible
> percentage of the amount of spam our defenses are fending off (about
> 4000 / day) but it’s annoying.
>
> We're allowing anonymous bug reports because the process to create

> and activate a djangoproject.com <http://djangoproject.com> account

> is too cumbersome. You must go to www.djangoproject.com

> <http://www.djangoproject.com>, register, get an email, and then go

> back to Trac and log in.
>
> In order to fix the spam problem while maintaining an easy workflow,
> I’m proposing to require GitHub auth for all “write” operations:
> creating a ticket, adding a comment, etc. Most people interested in
> Trac should have a GitHub account already.
>
> The main downside is that we’re switching to a different set of
> usernames. If a person doesn’t have the same username on Trac and on
> GitHub, comments made before and after the switch will appear under
> different names. However, we already have that problem when people
> forget to login and it isn’t that bad. We’ll also have to audit
> usernames of the fifty people who have admin permissions.
>
> As another upside, people won’t have to remember their Trac username
> and password anymore.
>
> What do you think?
>
> --
> Aymeric.
>

> --
> You received this message because you are subscribed to the Google
> Groups "Django developers" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-develop...@googlegroups.com
> <mailto:django-develop...@googlegroups.com>.
> To post to this group, send email to django-d...@googlegroups.com
> <mailto:django-d...@googlegroups.com>.
> Visit this group at http://groups.google.com/group/django-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/39b51ddd-7eac-4087-bde4-d798c1728e2d%40googlegroups.com
> <https://groups.google.com/d/msgid/django-developers/39b51ddd-7eac-4087-bde4-d798c1728e2d%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.

[Ben Finney]

Aymeric Augustin
<aymeric....@polytechnique.org>
writes:

> In order to fix the spam problem while maintaining an easy workflow,
> I'm proposing to require GitHub auth for all "write" operations:
> creating a ticket, adding a comment, etc. Most people interested in
> Trac should have a GitHub account already.

−1. I am happy to agree to Django's BTS terms of use, not GitHub's.
Please don't make the former depend on the latter.

--
\ “Isn't it enough to see that a garden is beautiful without |
`\ having to believe that there are fairies at the bottom of it |
_o__) too?” —Douglas Adams |
Ben Finney

[Shai Berger]

Hi,

> On 08/06/2014 03:30 PM, Tim Graham wrote:
> > I proposed the idea a couple months ago and got several +1's. The main
> > concern was from Shai, "not quite -1, but a strong -0 on "blessing" any
> > single oAuth provider. GitHub is fine, but so are Google, StackExchange,
> > and even the Evil Empires(TM)."

I still hold this position.

On Thursday 07 August 2014 00:35:11 Carl Meyer wrote:
> I don't see a problem with supporting only GitHub OAuth in this case.
> Django is hosted on GitHub, and any code contribution (which is
> ultimately what Trac is all about) will happen via GitHub

I disagree twice. We use Trac for a Wiki, not just for issue tracking, and
many contributions on Trac are not code contributions (even though they are
ultimately about code). Further, we still accept patches as attachments to
tickets. Today, it is possible to contribute to the Django project without a
Github account. I would like this to remain the case.

> > On Wednesday, August 6, 2014 5:18:38 PM UTC-4, Aymeric Augustin wrote:
> >
> > If you’re subscribed to django-updates, you may have noticed that
> > some spam is getting through since a few days. This is a negligible
> > percentage of the amount of spam our defenses are fending off (about
> > 4000 / day) but it’s annoying.
> >

Agreed. Something needs to be done.

> > The main downside is that we’re switching to a different set of
> > usernames. If a person doesn’t have the same username on Trac and on
> > GitHub, comments made before and after the switch will appear under
> > different names. However, we already have that problem when people
> > forget to login and it isn’t that bad. We’ll also have to audit
> > usernames of the fifty people who have admin permissions.
> >

Due diligence: I am one of those users whose name on Trac is not the same as
on Github. Consider me biased :-)

Shai.

[Andre Terra]

On Wed, Aug 6, 2014 at 9:47 PM, Shai Berger <sh...@platonix.com> wrote:

Today, it is possible to contribute to the Django project without a
Github account. I would like this to remain the case.

This is the most important argument for the -0. In fact, as a seldom code contributor but long time user and commenter on trac tickets, if I had to vote, I would actually -1 on the basis of not wanting to give that blessing to GitHub on an exclusive basis. If were are considering other OAuth providers, "now is better than ever" lest GitHub take over as a de facto standard that may never be overcome.

Most importantly, how would Django as a project benefit from this choice other than reducing minimal spam?

A better solution would be to strengthen what it means to have an identity on djangoproject.com. Rather than restricting user actions to Trac, we could motivate users to create something like a Django profile which would be used for Trac (among may other uses) and could later be linked to any OAuth providers, including but not limited to GitHub.

TL;DR Identity on djangoproject.com, Authentication linked to multiple OAuth, Authorization in Trac.

I hope that idea makes sense. I may be just babbling nonsense.

Cheers,

AT

[Josh Smeaton]

In that case, is it easy enough to support github oauth + the current trac auth concurrently? If a user chooses to go through the harder path, that's fine.

I like the idea of using github oauth. Password managers usually have a miserable time supporting HTTP basic auth.

[Alex Gaynor]

+1 for Github.

Here's why: You're all focused on existing users. For new users, being able to reuse existing authentication credentials is a considerable step up, I regularly give up on filing bug reports against other OSS projects because I'm frankly too tired to register for yet-another-JIRA-instance.

Alex

--

You received this message because you are subscribed to the Google Groups "Django developers" group.

To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.

Visit this group at http://groups.google.com/group/django-developers.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAKBiv3xybw0b26tamFS%2BMDuPPF8Ce5L7bqza6k08a2_u2eeMcg%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

"I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero

GPG Key fingerprint: 125F 5C67 DFE9 4084

[Ben Finney]

Alex Gaynor <alex....@gmail.com>
writes:

> For new users, being able to reuse existing authentication credentials
> is a considerable step up

Agreed. This is an argument to allow OAuth login.

It is not an argument to privilege any OAuth provider over others, or
any OAuth provider over no provider at all.

> I regularly give up on filing bug reports against other OSS projects
> because I'm frankly too tired to register for
> yet-another-JIRA-instance.

Likewise, I regularly give up because too much dependence is given to
Facebook, or GitHub, or etc. etc. etc.

Please don't make a new user's use of one service depend on them having
agreed to a specific unrelated corporation's terms of use.

They should be free to join whether or not they are a user of GitHub or
Facebook or Twitter or JoesOwnProvider or none of the above.

--
\ “If I melt dry ice, can I swim without getting wet?” —Steven |
`\ Wright |
_o__) |
Ben Finney

[Michael Manfre]

On Wed, Aug 6, 2014 at 8:59 PM, Josh Smeaton <josh.s...@gmail.com> wrote:

In that case, is it easy enough to support github oauth + the current trac auth concurrently? If a user chooses to go through the harder path, that's fine.

I like the idea of using github oauth. Password managers usually have a miserable time supporting HTTP basic auth.

I've made many comments without logging in because LastPass doesn't seem to work with basic auth and having to manually copy & paste credentials is too much of a hassle to bother with. 

[Aymeric Augustin]

To be clear, I have a working implementation of GitHub OAuth that I can
activate as soon as we reach a consensus.

On 7 août 2014, at 02:43, Ben Finney <ben+p...@benfinney.id.au> wrote:

> −1. I am happy to agree to Django's BTS terms of use, not GitHub's.
> Please don't make the former depend on the latter.

I didn’t know our Trac installation had terms of use. So, are you
volunteering to jump in and delete spam as it comes in? Or do you
have an alternative proposal?

On 7 août 2014, at 02:47, Shai Berger <sh...@platonix.com> wrote:

> Today, it is possible to contribute to the Django project without a
> Github account. I would like this to remain the case.

This is possible but in a limited capacity. To be honest, I think that
ship sailed when we moved to GitHub. We would have also moved
issues there if GitHub’s tools were usable.

On 7 août 2014, at 02:58, Andre Terra <andre...@gmail.com> wrote:

> Most importantly, how would Django as a project benefit from this
> choice other than reducing minimal spam?

Did you just ask “how would Django as a project benefit from having
core devs work on committing patches rather than fighting spam”?

If you don’t already have a djangoproject.com account, you’re likely to
give up on reporting a small bug just because it’s too complicated to
log in. Considering our target demographic, GitHub OAuth would
eliminate this problem.

Also, if you’re trying to report a bug anonymously, you’re likely to be
unable to pass the CAPTCHA, and also be unable to report it, because
you’re still getting blocked by the CAPTCHA. See complaints:
https://code.djangoproject.com/search?q=captcha&noquickjump=1&ticket=on

Finally, to be honest, I’d rather adjust Django’s tools to enthusiastic
beginners than grumpy freedom extremists who refuse to use GitHub.

> A better solution would be to strengthen what it means to have an identity
> on djangoproject.com. Rather than restricting user actions to Trac, we
> could motivate users to create something like a Django profile which would
> be used for Trac (among may other uses)

We already have that: https://www.djangoproject.com/~aaugustin/

> and could later be linked to any OAuth providers, including but not limited
> to GitHub.

We don’t have that.

> TL;DR Identity on djangoproject.com, Authentication linked to multiple OAuth,
> Authorization in Trac.

Are you volunteering to do this work, and if so, when will it be done?

> I hope that idea makes sense. I may be just babbling nonsense.

I’m sorry, but ideas don’t matter nearly as much as execution here.
We just need working tools — nothing fancy.

On 7 août 2014, at 02:59, Josh Smeaton <josh.s...@gmail.com> wrote:

> is it easy enough to support github oauth + the current trac auth concurrently?
> If a user chooses to go through the harder path, that's fine.

It may be doable to provide two authentications endpoints, like /login and
/login/github. Trac just looks at REMOTE_USER and creates a session that
lasts until you logout. I’ll look into it.

That solves the “GitHub is evil, I don’t want to touch their bytes with a six
foot pole” problem, but only half of the username mismatch problem. You
can keep using your djangoproject.com username is you wish, but if
someone else owns the same username on GitHub, they can impersonate
you e.g. https://github.com/shai / https://www.djangoproject.com/~shai/.

That said, if you aren’t logged in, you can type anything you want in Trac's
“Your username or email” field. It provides identification, not authentication.
This has never been a problem in the past. So I don’t think we’ll run into
too much trouble with usernames in general.

The only part where Trac usernames are used for authentication is access
control, which only applies to people who have special permissions.

--
Aymeric.

[Schmitt, Christian]

I'm a little bit concerned about that.

First I'm using a different user on Trac than on Github, so everything I wrote so far will getting lost (not that bad problem for me), but I think there are many users who are in the same situation.

The next thing is vendor lock-in. What will happen if Github don't have enough money? Then all usernames would need to migrate back or to another OAuth provider, then everything could be lost a second time.

Or that Github gets bad / mad.

Currently we already live in a world were everything gets connected. And that is really awful. One must consider that Github is definitely a target for intelligence agencies. And I don't mean the NSA only. 

Maybe I'm a little bit too paranoid but at the current state of the internet we shouldn't try to connect everything, just it is easier to login.

--
You received this message because you are subscribed to the Google Groups "Django developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/53B41C22-FAB6-49A9-9284-5BCCFC4D28BD%40polytechnique.org.

[Erik Romijn]

Thank you for working on this, Aymeric. I am definitely +1 on moving to
GitHub as sole authentication provider for trac.

We could argue about this forever. In the mean time the spam will pile
up, core developers will have to spend time deleting all of it, and
eventually we'd come to a plan which will never be executed because
nobody has enough time to build the convoluted end result.

Using GitHub makes sense as it's very likely a new contributor already
has a GitHub account (and if not, creating an account is useful for
much more than just Django), and many actions of contributing to Django
already tie closely to GitHub - even though you can still avoid it if
you really insist.

I have no strong feelings about having trac and GitHub authentication
both available. If we can make it work, it makes sense to allow it, but
I can see your point regarding technical issues that may have.

Most of all, let's be pragmatic about it and stop the spam, with the
added benefit of lowering the boundary for new contributors.

Erik

[Josh Smeaton]

I don't think "vendor lock in" is a good enough reason to avoid it. If GitHub were to go away, the move to a new code platform would be the greater problem. Also, nothing will be "lost". The old usernames will still be there, they just won't be properly linked to your github username. I don't think that's really a major concern either.

> Finally, to be honest, I’d rather adjust Django’s tools to enthusiastic 
> beginners than grumpy freedom extremists who refuse to use GitHub.

+1

[Tom Christie]

Absolutely +1.

Clearly the most pragmatic choice.

[Daniele Procida]

On Thu, Aug 7, 2014, Schmitt, Christian <c.sc...@briefdomain.de> wrote:

>Currently we already live in a world were everything gets connected. And
>that is really awful. One must consider that Github is definitely a target
>for intelligence agencies. And I don't mean the NSA only.
>Maybe I'm a little bit too paranoid but at the current state of the
>internet we shouldn't try to connect everything, just it is easier to login.

The purpose isn't to make it easier to login - it's to make it harder for people to flood Trac with spam. Maintaining that is a real pain in the neck.

This isn't just about convenience, it's about a significant quantity of work just to clean up other people's abuse and to keep the system reasonably clean.

If someone has the time and energy to keep Trac free of spam, that would be a solution - but I'd prefer to find a solution that didn't waste valuable human time and energy.

Daniele

[Chris Foresman]

+1 on GitHub OAuth. I've avoided filling or commenting on bugs because setting up Yet Another Account was enough friction that I never did it.

[Andre Terra]

On Thu, Aug 7, 2014 at 3:46 AM, Aymeric Augustin <aymeric....@polytechnique.org> wrote:

On 7 août 2014, at 02:58, Andre Terra <andre...@gmail.com> wrote:

> Most importantly, how would Django as a project benefit from this
> choice other than reducing minimal spam?

Did you just ask “how would Django as a project benefit from having
core devs work on committing patches rather than fighting spam”?

Did you just put on the worst attitude possible because someone asked an honest question?

And, no, I asked what advantages are there for choosing GitHub other than the alternatives. As someone else aptly put it somewhere else in this thread, what if we decide we don't like GitHub anymore?

If you don’t already have a djangoproject.com account, you’re likely to
give up on reporting a small bug just because it’s too complicated to
log in. Considering our target demographic, GitHub OAuth would
eliminate this problem.

Also, if you’re trying to report a bug anonymously, you’re likely to be
unable to pass the CAPTCHA, and also be unable to report it, because
you’re still getting blocked by the CAPTCHA. See complaints:
https://code.djangoproject.com/search?q=captcha&noquickjump=1&ticket=on

Finally, to be honest, I’d rather adjust Django’s tools to enthusiastic
beginners than grumpy freedom extremists who refuse to use GitHub.

> A better solution would be to strengthen what it means to have an identity
> on djangoproject.com. Rather than restricting user actions to Trac, we
> could motivate users to create something like a Django profile which would
> be used for Trac (among may other uses)

We already have that: https://www.djangoproject.com/~aaugustin/

Yes, I am well aware. Hence my use of the word "strengthen".

> and could later be linked to any OAuth providers, including but not limited
> to GitHub.

We don’t have that.

> TL;DR Identity on djangoproject.com, Authentication linked to multiple OAuth,
> Authorization in Trac.

Are you volunteering to do this work, and if so, when will it be done?

> I hope that idea makes sense. I may be just babbling nonsense.

I’m sorry, but ideas don’t matter nearly as much as execution here.
We just need working tools — nothing fancy.

I am sorry, I was under the impression that this was a mailing list. I wasn't aware we were on a coding sprint.

I would say execution doesn't matter nearly as much as planning.

I think it's common sense to establish a long term path before we taking the first step. Perhaps GitHub OAuth is a good solution for the spam problem, but on the other hand it may not be the ideal solution for Django as a community and project. Many others before and after me have expressed a desire to not have GitHub as a hard requirement. Are we more adamant about not adding code to contrib or using X or Y javascript framework than we are about adding GitHub as a requirement to the project?

The ad hominem attacks and harsh attitude definitely do not make an inviting atmosphere for new and old contributors alike. Consider rethinking that.

--

AT

[Aymeric Augustin]

Hi Andre,

On 7 août 2014, at 19:57, Andre Terra <andre...@gmail.com> wrote:

On Thu, Aug 7, 2014 at 3:46 AM, Aymeric Augustin <aymeric....@polytechnique.org> wrote:

On 7 août 2014, at 02:58, Andre Terra <andre...@gmail.com> wrote:

> Most importantly, how would Django as a project benefit from this
> choice other than reducing minimal spam?

Did you just ask “how would Django as a project benefit from having
core devs work on committing patches rather than fighting spam”?

Did you just put on the worst attitude possible because someone asked

an honest question?

I’m sorry. Please accept my apologies and let me rephrase that without

spam-fighting-induced frustration:

“Other than reducing spam, Django as a project will benefit from this

change be freeing core dev time and energy currently used to delete

spam manually and tweak a feeble anti-spam plugin. Core dev time

and energy are often cited as bottlenecks in the Django development

process.”

Other advantages have been put forward; I won’t rehash them.

And, no, I asked what advantages are there for choosing GitHub other

than the alternatives.

GitHub doesn’t require creating a new account, since anyone interested

in contributing to Django should have a GitHub account already to

submit pull requests.

As someone else aptly put it somewhere else in

this thread, what if we decide we don't like GitHub anymore?

The same thing will happen as when we decided we didn’t like

self-hosted SVN anymore: we’ll migrate to the shiny new thing.

I’m sorry, but ideas don’t matter nearly as much as execution here.
We just need working tools — nothing fancy.

I am sorry, I was under the impression that this was a mailing list.

I wasn't aware we were on a coding sprint.

I would say execution doesn't matter nearly as much as planning.

When we had the discussions that led to Django’s eventual move

from self-hosted SVN to GitHub, we kept planning and not executing

until Adrian bit the bullet and Just Fucking Did It. In hindsight it’s

generally accepted as a good idea. That’s why I believe that, when

tooling is concerned (as opposed to code), endless planning is

inefficient.

Many others before and after me have expressed a desire to

not have GitHub as a hard requirement.

Indeed, but I’m dismissing this argument because GitHub is the

pragmatic choice, whether you like it or not. Also, this reveals

that your argumentation in favor of more planning was actually

aimed at stalling the proposal.

If you hate GitHub enough that you don’t want to use it, put your

time where your mouth is and build a solution.

But don’t ask me to keep deleting spam manually.

-- 

Aymeric.

[Andre Terra]

Hi, Aymeric,

Thank you for your e-mail. I sympathize with your frustration.

On Thu, Aug 7, 2014 at 3:27 PM, Aymeric Augustin <aymeric....@polytechnique.org> wrote:

Indeed, but I’m dismissing this argument because GitHub is the

pragmatic choice, whether you like it or not. Also, this reveals

that your argumentation in favor of more planning was actually

aimed at stalling the proposal.

If you hate GitHub enough that you don’t want to use it, put your

time where your mouth is and build a solution.

But don’t ask me to keep deleting spam manually.

In fact, all of my code is hosted on GitHub. I don't dislike it particularly, just wanted to make sure we were fully investigating the alternatives.

About what Django could gain from this project, I think GitHub should at least tweet that now developers who want to contribute to Django can login with their GitHub account, and promote the project. I'd prefer a blog post, but twitter is fine. It's a fair request given the non-negligible impact of asking every newcomer to sign up to their service.

Cheers,

AT

[Donald Stufft]

I’m sorry. Please accept my apologies and let me rephrase that without

spam-fighting-induced frustration:

“Other than reducing spam, Django as a project will benefit from this

change be freeing core dev time and energy currently used to delete

spam manually and tweak a feeble anti-spam plugin. Core dev time

and energy are often cited as bottlenecks in the Django development

process.”

Other advantages have been put forward; I won’t rehash them.

+1

It would also enable us to unify access controls too I think? I think we could

just pull permissions from GitHub?

---

Donald Stufft

PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

[Ben Finney]

Aymeric Augustin
<aymeric....@polytechnique.org>
writes:

> GitHub doesn't require creating a new account, since anyone interested
> in contributing to Django should have a GitHub account already to
> submit pull requests.

This seems to be a common assumption, but it's not true — unless you
only count VCS contributions.

Are we not talking about contributors to Django's Trac instance, though?
There is currently no need to have a GitHub account to contribute there,
and you're proposing to require that.

> But don't ask me to keep deleting spam manually.

I don't want that to continue. I also don't want these two issues to be
tied together.

--
\ “Facts are stubborn things; and whatever may be our wishes, our |
`\ inclinations, or the dictates of our passion, they cannot alter |
_o__) the state of facts and evidence.” —John Adams, 1770-12-04 |
Ben Finney

[Shai Berger]

On Friday 08 August 2014 01:49:55 Ben Finney wrote:
> Aymeric Augustin <aymeric....@polytechnique.org> writes:
> > GitHub doesn't require creating a new account, since anyone interested
> > in contributing to Django should have a GitHub account already to
> > submit pull requests.
>
> This seems to be a common assumption, but it's not true — unless you
> only count VCS contributions.
>

Exactly. While I do care about the Free Software issues, my main concern with
the Github account requirement is the message it seems to send: "If you're not
going to contribute code, we're not interested in your bug reports". This
sentiment is all but explicitly stated in Aymeric's words above.

Shai.

[Aymeric Augustin]

You're right. Then just remove "to submit pull requests" from my argument

and it still holds, simply because the vast majority of the Django ecosystem

is on GitHub, and you can't participate meaningfully without GitHub.

I could change my mind if you provided examples of prominent Django

contributors who can't have a GitHub account for a good reason.

Even then I'm not sure that would beat the advantage of having the

occasional bug reporter arrive on Trac and think "hey, cool, I can login

to this bug tracker with GitHub".

--
Aymeric.

[Ben Finney]

Aymeric Augustin
<aymeric....@polytechnique.org>
writes:

> You're right. Then just remove "to submit pull requests" from my
> argument and it still holds, simply because the vast majority of the
> Django ecosystem is on GitHub, and you can't participate meaningfully
> without GitHub.

You can, at present, participate in Django's bug tracker without a
GitHub account.

The bug tracker contributions don't count, then? You consider
participation in bug tracker discussions to be meaningless?

--
\ “For every complex problem, there is a solution that is simple, |
`\ neat, and wrong.” —Henry L. Mencken |
_o__) |
Ben Finney

[Anssi Kääriäinen]

On Fri, 2014-08-08 at 08:39 +0200, Aymeric Augustin wrote:



> You're right. Then just remove "to submit pull requests" from my
> argument
> and it still holds, simply because the vast majority of the Django
> ecosystem
> is on GitHub, and you can't participate meaningfully without GitHub.
>
>
> I could change my mind if you provided examples of prominent Django
> contributors who can't have a GitHub account for a good reason.
>

The reason for unauthenticated Trac access was making it as easy as
possible for random Django developers to submit bug reports. The above
is very close to claiming that we care only about prominent Django
contributors which just isn't true.

For the record, +1 for requiring logins to use Trac (spam + ability to
impersonate core committers were both bad), and +0 for using GitHub for
logins. Having other OAuth providers would be even better.
- Anssi

[Aymeric Augustin]

2014-08-08 8:55 GMT+02:00 Ben Finney <ben+p...@benfinney.id.au>:

Aymeric Augustin
<aymeric....@polytechnique.org>
writes:

> You're right. Then just remove "to submit pull requests" from my
> argument and it still holds, simply because the vast majority of the
> Django ecosystem is on GitHub, and you can't participate meaningfully
> without GitHub.

You can, at present, participate in Django's bug tracker without a
GitHub account.

The "Django ecosystem" includes third-party apps, most of which

use GitHub issues for bug tracking.

 

The bug tracker contributions don't count, then? You consider
participation in bug tracker discussions to be meaningless?

Would you mind avoiding strawman arguments? 

--
Aymeric.

[Curtis Maloney]

For what it's worth, I can understand the opposition to requiring a GH login [ostensibly a "coders" account] in order to make comments on tickets.

However, if you're opinionated on a ticket you're either a coder, or feel strongly enough to overcome such a [low] hurdle.

Still, options of more than just GH would dissipate this issue... those without GH, BB and Twtitter accounts would be few, I'm sure, and tools like python-oauth-toolkit give you many options easily.

Does this debate include removing the _existing_ auth?

--

C

--

You received this message because you are subscribed to the Google Groups "Django developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CANE-7mUMrhB1L7ej%3DN1hE70CFV_EiwBG16bV6FSVCUnU6ZOgkw%40mail.gmail.com.

[Shai Berger]

On Saturday 09 August 2014 01:38:32 Curtis Maloney wrote:
> For what it's worth, I can understand the opposition to requiring a GH
> login [ostensibly a "coders" account] in order to make comments on tickets.
>
> However, if you're opinionated on a ticket you're either a coder, or feel
> strongly enough to overcome such a [low] hurdle.
>
> Still, options of more than just GH would dissipate this issue...

As Aymeric noted (but it might have been "hidden" by the whole argument),
Github is currently implemented; other options are welcome, but someone needs
to add them.

> those
> without GH, BB and Twtitter accounts would be few, I'm sure, and tools like
> python-oauth-toolkit give you many options easily.
>

I, personally, had Google and StackExchange in mind. I will probably add them,
if all goes well and nobody opposes it, within two weeks (I am currently on a
family vacation with busy days and a flaky connection).

> Does this debate include removing the _existing_ auth?
>

Having both auth's together is problematic (perhaps it can be done, but again,
somebody needs to do it). At the moment, you cannot login with a
djangoproject.com user.

Shai.

[Wim Feijen]

Hi Aymeric,

Thanks for your proposal and your work on this! 

I am in favour of *adding* github as an authentication tool. We would benefit immensily for making it easier for new people to log in and contribute. Would it be possible to add that to Trac, so people who have moral constraints against using github, could use the trac login?

In practice, almost all my contributions are made anonymous because that is faster for me, and I would definitely benefit from having a github oauth.

Uhmm... but I see you moved forward and already did it?

Wim 

[Aymeric Augustin]

Hi Wim,

Thanks your your feedback.

On 9 août 2014, at 12:00, Wim Feijen <w...@go2people.nl> wrote:

> I am in favour of *adding* github as an authentication tool. We would benefit immensily for making it easier for new people to log in and contribute. Would it be possible to add that to Trac, so people who have moral constraints against using github, could use the trac login?

I tried to support both Trac auth and GitHub auth but I couldn’t make it work.

The argument that “I use GitHub but maybe someone else doesn’t want to” came up a few times in this discussion. It seems to me that it’s a theoretical concern about an issue that doesn’t exist in practice. That’s why I asked for evidence that GitHub auth is alienating valuable contributors; I haven’t seen such evidence yet.

> In practice, almost all my contributions are made anonymous because that is faster for me, and I would definitely benefit from having a github oath.

Good!

> Uhmm... but I see you moved forward and already did it?

Yes, I did.

--
Aymeric.

[Wim Feijen]

Nice :)

[Luke Granger-Brown]

My only concern with this is the thing with the usernames, whereby some people don't use the same username on Trac as on GitHub, and that accounts are automatically munged together if they have the same username.

As a demonstration, I found someone with the core developer tag on Trac (lukeplant) who didn't have a corresponding GitHub account (his is spookylukey), and created a GitHub account with that username and tried logging in to Trac. As expected, it just logged me into their Trac account.

I'm not sure if this is a concern at all, but thought it was probably worth bringing up, or at least having some method for resolving it (some sort of horrific map between GitHub and Trac accounts?) It's probably slightly more concerning if there are people like that with greater privileges on Trac, which I don't believe is the case.

Luke

Nice :)

--
You received this message because you are subscribed to the Google Groups "Django developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/0dae599b-afcf-4a41-8c2b-75fead33754b%40googlegroups.com.

[Curtis Maloney]

I ran into that exact problem when djangopackages changed... case mis-match meant it took months before I had access again.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CALE3ZjWgUyBYmN22__Qr0ikj-0M8wo2KjgmJzPVyrwYQJ6gpPQ%40mail.gmail.com.

[Aymeric Augustin]

Don’t worry, I remapped permissions to GitHub usernames. Curtis, I lowercased your username, you should still have admin rights.

There were a few usernames I had never seen and couldn’t identify. If you think you lost permissions, please get in touch privately.

As said earlier by Florian, it’s always been possible to put any username when commenting anonymously, and that has never been an issue.

Trac accounts only store the username to save the need to type it every time (and notification preferences but we use django-updates instead).

The core dev highlighting hasn’t been fixed yet, but it’s just a cosmetic thing, it doesn’t give any permissions.

--
Aymeric.

[Thorsten Sanders]

Am 09.08.2014 21:21, schrieb Aymeric Augustin:
> I tried to support both Trac auth and GitHub auth but I couldn't make it work.
>
> The argument that "I use GitHub but maybe someone else doesn't want to" came up a few times in this discussion. It seems to me that it's a theoretical concern about an issue that doesn't exist in practice. That's why I asked for evidence that GitHub auth is alienating valuable contributors; I haven't seen such evidence yet.
>

I think the discussion is on the wrong mailing list, I assume alot ppl
here contribute active and use github anyway, but what is with the users
who report bugs?
Myself I never used trac dont contribute code kinda only listening here
to know about changes ahead of time, but if I would have found a bug and
dont have github account, I wouldnt register on a 3rd site just to fill
in a bug report on another site.
Personally I never register on a site which dont give me the choice to
register directly with that site, I dont like to share what sites I use,
how often and at what times I login there with other sites.
Myself I use usually python-social-auth so ppl who prefer the oauth way
have a wide variety to choose from and also a direct registration for
ppl like me who prefer that way.

[Daniel Greenfeld]

On Sunday, August 10, 2014 2:37:01 AM UTC-7, Aymeric Augustin wrote:

<Snip> 

Using GitHub for auth a giant +1 from me. 

For me, this ranks up with the SVN to Github move as a: "Why hasn't this been done already?"

Daniel Greenfeld

co-author Two Scoops of Django

[Russell Keith-Magee]

Hi Aymeric,

I just noticed that the content on the wiki homepage has been massively altered, replaced with a "please login with GitHub" text. Was this change deliberate?

The wiki landing page is linked from the homepage as code.djangoproject.com, and has always held a collection of useful information about what someone who wants to contribute could do. As it currently stands, code.djangoproject.com doesn't serve as a very inviting introduction to potential contributors. Would you object to me restoring the older content, merging it with the "please login with GitHub text"?

Russ %-)

--
Aymeric.

--
You received this message because you are subscribed to the Google Groups "Django developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/5757E2E5-5496-4C59-A99E-87B5BC1AD276%40polytechnique.org.

[Aymeric Augustin]

Hi Russell,

It seemed to me that this page wasn't nearly as good an introduction to contributing to Django as the contributing guide from the official docs, so I trimmed it and pointed to the docs instead.

In fact, I started by removing incorrect or outdated information — for instance, the workflow described in the page dated back to the pre-git era, replacing get_absolute_url appeared to be the main current project while no one has worked on it for years, etc. A few minutes later there was so little left that I simply rewrote the page.

Generally speaking, I don't believe we'll ever manage to keep the wiki sufficiently accurate and up to date to make it useful. Last year I tried to look for spam links (with a script) and scrub them, but there were so many that I gave up. In my opinion, the viable alternative to our self-hosted wiki is called the World Wide Web :-)

Feel free to restore and perhaps update the previous content. I believe it did more harm than good, but as long as it remains clear that you need to authenticate before you can file a ticket, we'll be all right!

-- 

Aymeric.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAJxq8494XsVQXQb-fda%2BA_CV0fXRGt916KZ-AseTRGYcO9LiJA%40mail.gmail.com.

[Collin Anderson]

I was looking at the wiki page myself a few weeks ago an noticed it was horribly out of date. I might be nice to keep that page minimal (maybe just a few links to other pages) because normal users aren't allowed to edit it.

[Danilo Bargen]

I just discovered this change (require Github for login) today and had a hard time finding this discussion. Maybe a link in the wiki would help?

While I agree with the decision to move on to Github Login (finally no more basic auth!) I'd like to have a way to merge my two accounts. Especially the ticket history and the notification settings. Right now there seems to be no way to turn off notification for tickets that are being tracked with the "old" account. While I use the same username (and AFAIR even e-mail) on both accounts, the accounts apparently haven't been merged.

Is there a way to merge accounts? Maybe by writing an e-mail to someone? And if yes, could we put that in the wiki?

Cheers

Danilo

[Russell Keith-Magee]

On Thu, Aug 14, 2014 at 7:20 PM, Aymeric Augustin <aymeric.au...@polytechnique.org> wrote:

Hi Russell,

It seemed to me that this page wasn't nearly as good an introduction to contributing to Django as the contributing guide from the official docs, so I trimmed it and pointed to the docs instead.

In fact, I started by removing incorrect or outdated information — for instance, the workflow described in the page dated back to the pre-git era, replacing get_absolute_url appeared to be the main current project while no one has worked on it for years, etc. A few minutes later there was so little left that I simply rewrote the page.

Generally speaking, I don't believe we'll ever manage to keep the wiki sufficiently accurate and up to date to make it useful. Last year I tried to look for spam links (with a script) and scrub them, but there were so many that I gave up. In my opinion, the viable alternative to our self-hosted wiki is called the World Wide Web :-)

Feel free to restore and perhaps update the previous content. I believe it did more harm than good, but as long as it remains clear that you need to authenticate before you can file a ticket, we'll be all right!

Hi Aymeric,

Your reasoning makes sense - I can't argue that some of the content there was a bit stale. However I think there's a middle ground - that particular page is the landing page for people who want to contribute, so it needs a bit more than a curt "get thyself a github account". 

I'll work on improving what's there.

Russ %-)

[Ola Sitarska]

I think that much better option would be to link "Code" in header of djangoproject.com to this: https://docs.djangoproject.com/en/1.6/internals/contributing/ and make this a landing page for people who want to contribute. 

As a newbie contributor I found it super helpful :)

[Russell Keith-Magee]

I've just updated the wiki homepage, restoring a few pieces of content from the older page. I agree most of the old content wasn't relevant any more, so the changes are mostly about the tone of the page. Hopefully the content in the new version is a little more inviting to newcomers.

I'm sure there are other improvements that could be made - in particular, I think the release process section could benefit from a little more elaboration, highlighting the fact that 1.8 development is underway. Suggestions welcome!

Russ %-)

[Aymeric Augustin]

On 9 août 2014, at 21:21, Aymeric Augustin <aymeric....@polytechnique.org> wrote:

> I tried to support both Trac auth and GitHub auth but I couldn’t make it work.

Eventually, I managed to set up DjangoProject and GitHub auth in parallel.

Contributors who refuse GitHub’s ToS can participate on Trac again.

Issues created by username mismatches have been dealt with.

--
Aymeric.

[Shai Berger]

On Sunday 24 August 2014 20:44:30 Aymeric Augustin wrote:
>
> Eventually, I managed to set up DjangoProject and GitHub auth in parallel.
>
> Contributors who refuse GitHub's ToS can participate on Trac again.
>
> Issues created by username mismatches have been dealt with.

Thanks, Aymeric, for enabling participation on Trac with no GitHub account.

In view of this, adding other OAuth providers has become much less important
for me, and I have put it on the "some day, maybe" shelf. If it is important
to any of you, I may be able to assisst you in getting it up, but you'll
probably need to lift most of the weight yourself.

Shai.

[Ben Finney]

Aymeric Augustin
<aymeric....@polytechnique.org>
writes:

> Contributors who refuse GitHub's ToS can participate on Trac again.

For working to fix this, and for acknowledging these people are
contributors: Thank you!

--
\ “Truth is stranger than fiction, but it is because fiction is |
`\ obliged to stick to possibilities, truth isn't.” —Mark Twain, |
_o__) _Following the Equator_ |
Ben Finney

[Christian Schmitt]

Is there a way to merge user accounts? Currently my github Account is c-schmitt, while my Trac user account ist merb.




—
Best Regards

Christian Schmitt
c.sc...@briefdomain.de

> --
> You received this message because you are subscribed to the Google Groups "Django developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
> To post to this group, send email to django-d...@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-developers.

> To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/8538clzmv8.fsf%40benfinney.id.au.

[Aymeric Augustin]

2014-08-26 9:48 GMT+02:00 Christian Schmitt <c.sc...@briefdomain.de>:

Is there a way to merge user accounts? Currently my github Account is c-schmitt, while my Trac user account ist merb.

Technically, there's no such thing as a Trac account, just a username attached to tickets and comments.

I spent some time Googling for a script that would make these changes automatically, but I couldn't find one.

See https://groups.google.com/forum/#!topic/trac-users/lpA2qSWgOPM for a rough idea of what's needed.

If someone finds a reasonably good-looking script to perform this task, I'll run it for users who request it.

 

--
Aymeric.