Hi,
I’ve been encouraged on the IRC channel to open a discussion here.
An official announcement has been made today that Microsoft will be acquiring Github within the year. As a consequence, some Mozillians might become suspicious towards Github. Moreover, it might seem unconsistent that one is required to use a Microsoft property to sign in to Mozilla services.
So I suggest we discuss about the possibility to provide more authentication methods.
PS: I’m not native English, please excuse my tendency to make overly complex sentences
A very topical question! Did you have an alternative in mind?
There is much work progressing via Participation Systems which has been integrating a number of approaches to identity access management the last year. It’s my view, that Github was one of the first of these as we could use Oauth and hardware 2FA devices like Yubikeys. Solved a lot of issues quickly. We could not have known about Microsoft’s inention for this acquisition, and I do not currently know Mozilla’s official position on this.
Please understand that ParSys team is busy rolling out a number of alternatives in an IAM roadmap. Things like: staff and volunteer contact information is merging into the one tool, and integrating a more useful Firefox accounts identity. I asked about 2FA/U2F in bug 1464888 specifically in the Firefox Accounts so we had other options than Github.
Actually no. I would have suggested that Mozilla use its own auth provider, but there was Persona before and it’s been discontinued. I don’t know the reasons but I guess they must have been good reasons.
This would be great! I have a Yubikey too and I don’t find many opportunities to use it.
Thanks for starting the discussion here. We also discussed it briefly in our dev meeting earlier today. At this point we have no plans to integrate other authentication systems. It’s not clear that the added overhead and complexity stands in any relation to the perceived benefit. It’ also partially motivated by our integration with Github that we’d like to explore further this year and next. Adding other authentication methods would make that more complicated, so we’d need a compelling reason to still pursue that.
The issue comes up from the microsoft acquiring github.
Currently, there are only one way to login to MDN web docs, that is github. So if anyone wants to contribute to MDN, they must accept the privacy policy of mozilla as well as github. People are comfortable with mozilla, but after microsoft acquisition, many person do not comfortable to share their data with github. So that will be a berrier for them to contribute in MDN.
Moreover, a good issue comes from the IRC that, if anyone wants to delete his github account, the only one thing that will prevent him is MDN web docs. because if he delete his github account, he can no longer contribute to MDN web docs.
I understand that adding another authentication method maybe complicated. But we should consider it in the near future. Maybe Firefox account is well suited with our needs?
GitHub’s privacy policy has not changed with this announcement. (Though I think it recently changed as part of the GDPR wave.) You can be sure that Mozilla will be watching any future privacy policy changes closely, as there are many Mozilla projects that use GitHub. There are reasons to consider having another authentication provider, and avoiding a single point of failure is one of them. But “Microsoft is the bogeyman” is not.
I personally agree that we need another authentication method than GitHub. Not because of the Microsoft acquisition, but because there are non-developers who historically have done some contributing to MDN and requiring them to have a GitHub account may be prohibitive toward their contribution. I am hopeful that Firefox accounts will reach a point where we could use that as another login method for MDN).
Of course, there are mistakes in their assumptions about MDN in that. Like, we only currently use a PR model for data content, not for prose. That may change going forward, but is not currently true and won’t be for a good while yet at best.
That said, that sounds like an interesting concept.
MS is part of Big Data and dreaded - to put it mildly - by many in the free software world.
MS also feels at liberty to violently change their policies at any time without prior notice and might - like others already do - deplatform their own customers for somewhat less than compelling reasons.
Many free software advocates clearly feel uneasy and uncomfortable with having to accept Microsoft rules (being the only one option) if they want to help out MDN and be at the mercy of a large corporation whose policies in other fields they utterly dislike.
Indeed! Forcing people to accept Microsoft house-rules is unacceptable - MS being a highly politicized American entity - to many Free-Software advocates.
Mozilla may well lose - or not attract - valuable contributors.
Truth be told, in my todays web-search over the %s URL parameter I found the best content way outside of any Mozilla site. Incidentally, contributors there were not forced to accept Micro$oft rules, which are somewhat incisive, as some have found out much to their chagrin.
