Based on discussions on the development mailing list (about privacy issues and data collection concerns) as well as http://drupal.org/node/66241#comment-311021 and http://drupal.org/node/66241#comment-311037 we are moving drupal.module to the contributions repository. What needs to be done:
- a maintainer should step up
- a new project name should be decided on (ie. the module should not retain the Drupal name)
- the current drupal.module code should be committed to that project
- drupal.module should be removed from Drupal 6
Once this is done, this issue can be marked fixed. And the new module should
- provide an upgrade path, so users authenticated previously by drupal.module still get their authentication from the new module properly
- any other outstanding issues for drupal.module should be moved over to this new module
Comment | File | Size | Author |
---|---|---|---|
#9 | drupal-remove-178768-9.patch | 24.51 KB | pwolanin |
Comments
Comment #1
AjK CreditAttribution: AjK commentedI'd be happy to take this on in Contrib and rework it as required.
Comment #2
pwolanin CreditAttribution: pwolanin commentedI've previously suggested "Drupalnet" as a replacement module name (implying "Drupal sites network" or some such).
Comment #3
Gábor HojtsyGiven the privacy (phone home) and security (dist auth) implications of this module, it might not be a good idea to keep "Drupal" in the name, given how an accident with the module can give Drupal a bad name.
Also, Moshe notes on the mailing list:
Comment #4
Freso CreditAttribution: Freso commentedFrom what I understood of the devel list discussion, the "phone home" feature(s) should be removed (as Drupal doesn't log or otherwise use the data phoned home anyway). Am I right about this?
If the above impression is correct, how about "old_auth"? Or even "old_dist_auth"?
Comment #5
webchickOld compared to what? How many "old" types of auth could we potentially end up with? Seems like a semantic mess... :(
How about name it functionally for what it does, which is allow logins from affiliate sites: affiliate_login module or something.
Comment #6
Gábor HojtsyOr site_network.module if both features are kept. The phone home feature might be interesting still for a *very* limited amount of people. If not, affiliate_login.module seems to be a fine idea for me.
Comment #7
Anonymous (not verified) CreditAttribution: Anonymous commentedNew name: Peer Authentication
New description: Enable server to receive peer requests for authentication.
Comment #8
Anonymous (not verified) CreditAttribution: Anonymous commentedI just read webchick's suggestion for affiliate_login. I don't like this term for this module. It makes me think that I'm going to be paying money to someone who publishes advertising for some fee.
Comment #9
pwolanin CreditAttribution: pwolanin commentedas far as I understand it - the authentication code that mose refers to in user_save is general, and not limited to the Drupal module. So - should it in fact be deleted?
Attached is a patch to just remove the drupal module files from core.
Comment #10
Gábor HojtsyIndeed, user_set_authmaps(), user_get_authmaps() and friends seem to be quite general, and needed to support other dist auth schemes, so I am not sure what Moshe referred to.
In general I'd love to see this module moved to contribs soon and then remove it from core, when we can point to a module (in the commit message, the changelog and in the update docs). So we need a project URL where we can point to.
Comment #11
moshe weitzman CreditAttribution: moshe weitzman commentedyeah, i guess those authmap related bigs can stay. still, that 4 letter prefix of 'auth' on the key is pretty clunky. thats my first contribution to drupal - six years ago. i didn't know php back then.
i think site_network is a good name.
so AJK - please create that project and commit drupal.module code there and then let us know so gabor can commit this.
Comment #12
Freso CreditAttribution: Freso commentedFWIW: I, too, dislike the use of "affiliate", but am fine with "site_network". Now, let's get this into contrib land. :)
Comment #13
moshe weitzman CreditAttribution: moshe weitzman commentedupon further reflection, i do think the whole authmap API should be dumped for D7. modules can maintain own mapping table. they often want to store additional details anyway. since that would require changes to openid.module, lets defer until D7.
Comment #14
dwwThis comment is more for the contrib site_network.module (or whatever it ends up being called), but I strongly vote for ripping out the existing drupal.module's phone home features:
a) the data is highly skewed because it's tied to distributed auth
b) the kind of data we collect (even though it's opt-in) is enough to get us in trouble with the privacy-heads
c) we never inspect the data
d) we have no intention of ever making it easy to inspect this data
e) the XML-RPC handler for the data is itself buggy (see http://drupal.org/node/164054)
...
Let's just move the distributed-auth aspects to contrib, and let the phone home stuff die. Don't know if that impacts the naming decision. "site_network" still makes sense as a way to describe this particular authentication scheme, even if that's all it's doing. OTOH, it might be nice to put "auth" or "authentication" in the name if that's all it does.
Cheers,
-Derek
Comment #15
hass CreditAttribution: hass commentedThank you for whipping this security hole out... after the name is clear and code is moved the case http://drupal.org/node/93048 should be moved over to this new project.
Comment #16
Gábor Hojtsyauth_network or whatever could be another option. Although I feel whatever short name we are trying to come up with, it is getting to sound too generic. So let's decide on one and move on!
Comment #17
moshe weitzman CreditAttribution: moshe weitzman commentedThe site_network module needs a maintainer if AJK doesn't want it. We'll take anyone! Fast!. Just copy the drupal.module module and commit to Contrib and make a project. Then tell us the URL.
Comment #18
Dries CreditAttribution: Dries commentedIf no one takes it within 24 hours from now, we can go ahead and nuke it from HEAD. A maintainer will arise if there is a need for it.
Comment #19
moshe weitzman CreditAttribution: moshe weitzman commentedfyi, http://drupal.org/node/181578 patches drupal.module so it would be convenient to apply that before removing drupal.module. also, whomever revives drupal.module might want to reove the enable/disable setting in its admin since enabling that module will probably imply that you want dist auth.
Comment #20
Gábor HojtsyMoshe, I looked at that issue, and it does not touch drupal.module, only user.module.
So as Dries announced, it was time to remove the module, which I just did. I mark this needs work, so AjK can take the latest Drupal module code and set up the project. Existing unresolved issues against drupal.module still need to be recategorized for the new project at that time.
Comment #21
AjK CreditAttribution: AjK commentedI've taken on the maintainer role for this and I'll "fix" this issue once I have created the contrib project and transffered the current issue queue to the new contrib.
Comment #22
moshe weitzman CreditAttribution: moshe weitzman commentedi strongly recommend that drupal.org continue to run this module. Many many people on groups.drupal.org use login via DA to drupal.org and hey will all be shut out if we stop running this module. There are lots of other sites like this too.
So thanks AJK for turning this into a proper Contrib ASAP.
Comment #23
AjK CreditAttribution: AjK commentedOK, I have created the initial Contrib module "site_network". The work done here is minimalist at this point (i.e read as "not tested yet").
I have moved all outstanding issues to the new module. This is the last issue to move.
I expect to work on it's issue queue this week.
Comment #24
Gábor HojtsyAdded changelog entry to Drupal 6.x-dev which makes this issue fixed.
Comment #25
(not verified) CreditAttribution: commented