Based on discussions on the development mailing list (about privacy issues and data collection concerns) as well as http://drupal.org/node/66241#comment-311021 and http://drupal.org/node/66241#comment-311037 we are moving drupal.module to the contributions repository. What needs to be done:

- a maintainer should step up
- a new project name should be decided on (ie. the module should not retain the Drupal name)
- the current drupal.module code should be committed to that project
- drupal.module should be removed from Drupal 6

Once this is done, this issue can be marked fixed. And the new module should

- provide an upgrade path, so users authenticated previously by drupal.module still get their authentication from the new module properly
- any other outstanding issues for drupal.module should be moved over to this new module

CommentFileSizeAuthor
#9 drupal-remove-178768-9.patch24.51 KBpwolanin
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

AjK’s picture

I'd be happy to take this on in Contrib and rework it as required.

pwolanin’s picture

I've previously suggested "Drupalnet" as a replacement module name (implying "Drupal sites network" or some such).

Gábor Hojtsy’s picture

Given the privacy (phone home) and security (dist auth) implications of this module, it might not be a good idea to keep "Drupal" in the name, given how an accident with the module can give Drupal a bad name.

Also, Moshe notes on the mailing list:

the module is quite self contained so it can be simply dropped from
drupal core. the only exception i'm aware of is some bits at top and
bottom of user_save() which need to move into hook_user() in
drupal.module

Freso’s picture

From what I understood of the devel list discussion, the "phone home" feature(s) should be removed (as Drupal doesn't log or otherwise use the data phoned home anyway). Am I right about this?

If the above impression is correct, how about "old_auth"? Or even "old_dist_auth"?

webchick’s picture

Old compared to what? How many "old" types of auth could we potentially end up with? Seems like a semantic mess... :(

How about name it functionally for what it does, which is allow logins from affiliate sites: affiliate_login module or something.

Gábor Hojtsy’s picture

Or site_network.module if both features are kept. The phone home feature might be interesting still for a *very* limited amount of people. If not, affiliate_login.module seems to be a fine idea for me.

Anonymous’s picture

New name: Peer Authentication
New description: Enable server to receive peer requests for authentication.

Anonymous’s picture

I just read webchick's suggestion for affiliate_login. I don't like this term for this module. It makes me think that I'm going to be paying money to someone who publishes advertising for some fee.

pwolanin’s picture

Status: Active » Needs review
FileSize
24.51 KB

as far as I understand it - the authentication code that mose refers to in user_save is general, and not limited to the Drupal module. So - should it in fact be deleted?

Attached is a patch to just remove the drupal module files from core.

Gábor Hojtsy’s picture

Indeed, user_set_authmaps(), user_get_authmaps() and friends seem to be quite general, and needed to support other dist auth schemes, so I am not sure what Moshe referred to.

In general I'd love to see this module moved to contribs soon and then remove it from core, when we can point to a module (in the commit message, the changelog and in the update docs). So we need a project URL where we can point to.

moshe weitzman’s picture

yeah, i guess those authmap related bigs can stay. still, that 4 letter prefix of 'auth' on the key is pretty clunky. thats my first contribution to drupal - six years ago. i didn't know php back then.

i think site_network is a good name.

so AJK - please create that project and commit drupal.module code there and then let us know so gabor can commit this.

Freso’s picture

FWIW: I, too, dislike the use of "affiliate", but am fine with "site_network". Now, let's get this into contrib land. :)

moshe weitzman’s picture

upon further reflection, i do think the whole authmap API should be dumped for D7. modules can maintain own mapping table. they often want to store additional details anyway. since that would require changes to openid.module, lets defer until D7.

dww’s picture

This comment is more for the contrib site_network.module (or whatever it ends up being called), but I strongly vote for ripping out the existing drupal.module's phone home features:

a) the data is highly skewed because it's tied to distributed auth
b) the kind of data we collect (even though it's opt-in) is enough to get us in trouble with the privacy-heads
c) we never inspect the data
d) we have no intention of ever making it easy to inspect this data
e) the XML-RPC handler for the data is itself buggy (see http://drupal.org/node/164054)
...

Let's just move the distributed-auth aspects to contrib, and let the phone home stuff die. Don't know if that impacts the naming decision. "site_network" still makes sense as a way to describe this particular authentication scheme, even if that's all it's doing. OTOH, it might be nice to put "auth" or "authentication" in the name if that's all it does.

Cheers,
-Derek

hass’s picture

Thank you for whipping this security hole out... after the name is clear and code is moved the case http://drupal.org/node/93048 should be moved over to this new project.

Gábor Hojtsy’s picture

auth_network or whatever could be another option. Although I feel whatever short name we are trying to come up with, it is getting to sound too generic. So let's decide on one and move on!

moshe weitzman’s picture

The site_network module needs a maintainer if AJK doesn't want it. We'll take anyone! Fast!. Just copy the drupal.module module and commit to Contrib and make a project. Then tell us the URL.

Dries’s picture

If no one takes it within 24 hours from now, we can go ahead and nuke it from HEAD. A maintainer will arise if there is a need for it.

moshe weitzman’s picture

fyi, http://drupal.org/node/181578 patches drupal.module so it would be convenient to apply that before removing drupal.module. also, whomever revives drupal.module might want to reove the enable/disable setting in its admin since enabling that module will probably imply that you want dist auth.

Gábor Hojtsy’s picture

Status: Needs review » Needs work

Moshe, I looked at that issue, and it does not touch drupal.module, only user.module.

So as Dries announced, it was time to remove the module, which I just did. I mark this needs work, so AjK can take the latest Drupal module code and set up the project. Existing unresolved issues against drupal.module still need to be recategorized for the new project at that time.

AjK’s picture

I've taken on the maintainer role for this and I'll "fix" this issue once I have created the contrib project and transffered the current issue queue to the new contrib.

moshe weitzman’s picture

i strongly recommend that drupal.org continue to run this module. Many many people on groups.drupal.org use login via DA to drupal.org and hey will all be shut out if we stop running this module. There are lots of other sites like this too.

So thanks AJK for turning this into a proper Contrib ASAP.

AjK’s picture

Project: Drupal core » Site Network
Version: 6.x-dev »
Component: drupal.module » Code

OK, I have created the initial Contrib module "site_network". The work done here is minimalist at this point (i.e read as "not tested yet").

I have moved all outstanding issues to the new module. This is the last issue to move.

I expect to work on it's issue queue this week.

Gábor Hojtsy’s picture

Status: Needs work » Fixed

Added changelog entry to Drupal 6.x-dev which makes this issue fixed.

Anonymous’s picture

Status: Fixed » Closed (fixed)