Re: Using postgresql.org account as an auth id on third party websites

This thread is mostly going around in circles. I don't foresee anything
productive coming out of it TBH, but I've cut it down to a few points I'd
like to still make.

And yes, I have cut severely in the amount of text, and am responding to
three mails at once. Because I see no point in re-iterating the answers
that have already been said.

On Fri, Sep 20, 2019 at 3:14 AM Álvaro Hernández <aht(at)ongres(dot)com> wrote:

>
>
> On 19/9/19 13:53, Magnus Hagander wrote:
>
> On Wed, Sep 18, 2019 at 5:16 PM Álvaro Hernández <aht(at)ongres(dot)com> wrote:
>
>>
>>
>> On 18/9/19 3:45, Magnus Hagander wrote:
>>
>
> But back on topic, on what concerns my request: let's open this up to
>> any third party organisation --it has already been done. I don't see why
>> having "the team the ability to manage all the data" changes anything. What
>> I'm requesting access to is a system for third-party authentication,
>> similar to "login with Google" or any other auth provider. There's no
>> "forced account delete" mechanism that I'm aware of, and there is little to
>> no information sharing other than "hey, please authenticate this person and
>> let me know the boolean information of whether that was successful or not"
>> (optionally request name and email, as other authentication providers do,
>> that is PII, but that's it). What auth providers do is a way to force
>> delete a session (an authentication token, which typically expires quickly,
>> but could be forcibly expired). This is optional, and in no way would force
>> any deletion on the third party (it is the user who should use the third
>> party's account deletion procedures).
>>
>
> Just because Google does something one way, doesn't mean that we want to
> do it that way. We are allowed to treat our users better than Google treat
> their tracking-victims for example, and would like to
> stick to that level.
>
>
> I used Google as an example. You came back with an unrelated, Google
> rant (????).
>

You are correct, my apologies. That was terrible phraising.

So what I meant to highlight was: you use Google as an example of a free
authentication provider. That is not correct -- you pay to use google
authentication by feeding google tracking data about your users. The same
goes for any of the other examples of other authentication providers
mentioned. It is not wrong to label them authentication providers, but it
*is* wrong in this context to label them as free.

> Oh, and as a general rule, "requesting" unpaid volunteers to do work for
> you for free is in general not a great way to get them enthusiastic about
> helping out.
>
>
> Did I do so? I don't recall where or when I said that.
>

Your own words, in the text above:
". What I'm requesting access to is a system for third-party
authentication, similar to "login with Google" or any other auth provider."

How is that not "requesting", when you use that very word?

> >> - Either volunteers, due to being unpaid, are not doing their job
> >> correctly (completely);
> > tbh as one of those volunteers, I kinda find it pretty irritating that
> > that the very first time somebody asks for community auth being opened
> > to non-pginfra managed sites an association of "us" not doing our job
> > correctly comes up just because that feature does not (and/or is not
> > implemented in the way you want it) do like.

> TBQH, I'm having a really hard time to understand how this
> conclusion could be derived from my words. But it doesn't matter, it's
> my bad anyway if I made you, or anyone else, feel this way.

So you write "Either volunteers, due to being unpaid, are not doing their
job correctly (completely);"

-- but we're not supposed to read that as the volunteers not doing their
job?

Is there anything you write that actually means what it says? Because it's
really hard to understand what you mean if you write them using words that
mean other things.

This is the second time it's literally in the very text you quote and then
deny having said.

> * you didn't read it (in which case, please do);

You should maybe try that yourself? At least read the parts that you wrote
yourself?

> * or you are acting in bad faith, by replying to the first sentence only,
and deleting the following paragraph.

Yes, I did cut intentionally in this email, just like Dave did. I don't
know why he did it, but it should be clear why I did it.

So you are basically repeatedly accusing the pginfra volunteers of not
doing a proper job. Then you are accusing a core team member of acting in
bad faith.

So yeah, I think it's time to close this thread out.

> I believe this argument of "send patches if you want anything to
change" is pretty limited in its vision. Because there are many other ways,
many of which may be much more efficient to achieve the same result.

It might be limiting. But it's how the entire PostgreSQL project has worked
through all time. If you want something done, you either do it yourself or
you convince somebody else to do it. And accusing others of not doing their
job has never been a way to accomplish that.

> Why? Can you elaborate? Is there any place where I can find this
technical details, given that it is so hard to get any more detailed
response on this email thread?

In the very first response on this thread, Jonathan sent you the link to
the documentation *and source code* for the system. If that's not technical
enough, then what you actually want? I can send you a precompiled bytecode
file?

> ... while not changing the substance of it: pg-infra is:
> * Providing hosting services to entities like the PostgreSQL Europe
Association.
> * Providing login service to entities like the PostgreSQL Europe
Association.
> * Probably other services, and to other entities.
> * Not willing to provide the above services to any other entity.
> This is creating a differentiation (through discrimination) and
exclusiveness that nobody here is addressing but me. Don't you see it? I
understand how things came this way, and I'm fine with this. But once this
is identified, this needs to be resolved.

Except you have explicitly *rejected* the offer of being hosted on pginfra.
It was offered, and you said no. Surely that is not *our* fault.

There is nothing preventing you from hosting your service on pginfra under
the same terms as anybody else. But you didn't *want* that.

In summary:

You wrote:
> postgresqlco.nf is a free service, developed and run by OnGres. I
don't think is a good fit to run on a non-profit entity's infrastructure.
Is PostgreSQL infra providing hosting services for companies?

And you are absolutely correct. PostgreSQL infra is not providing hosting
services for companies.

So why should we build and maintain an authentication service for companies?

This thread is clearly not getting anywhere. Let's close it here.

I would suggest you proceed down one of two paths:

1. Provide an actual complete proposal *including the code to implement
it*, which also outlines the requirements to support the system long-term,
for something based on the current community authentication. This has
repeatedly been requested. You don't like this option, so that's fine.

2. Build out a working authentication service that solves this problem,
under a different umbrella. Once you have a proven solution for it, you
will have a much easier time convincing people of using it, instead of just
requesting other people to the work. I would *love* for pginfra not to have
to have to deal with the user service parts of handling it for example.
Anything that solves that part would be *much* appreciated, and it would be
an actual *improvement* over what is there today.

//Magnus