Re: Using postgresql.org account as an auth id on third partywebsites

This thread is mostly going around in circles. I don't foresee anything productive coming out of it TBH, but I've cut it down to a few points I'd like to still make.

And yes, I have cut severely in the amount of text, and am responding to three mails at once. Because I see no point in re-iterating the answers that have already been said.

On Fri, Sep 20, 2019 at 3:14 AM Álvaro Hernández <aht@ongres.com> wrote:

On 19/9/19 13:53, Magnus Hagander wrote:

On Wed, Sep 18, 2019 at 5:16 PM Álvaro Hernández <aht@ongres.com> wrote:

On 18/9/19 3:45, Magnus Hagander wrote:

    But back on topic, on what concerns my request: let's open this up to any third party organisation --it has already been done. I don't see why having "the team the ability to manage all the data" changes anything. What I'm requesting access to is a system for third-party authentication, similar to "login with Google" or any other auth provider. There's no "forced account delete" mechanism that I'm aware of, and there is little to no information sharing other than "hey, please authenticate this person and let me know the boolean information of whether that was successful or not" (optionally request name and email, as other authentication providers do, that is PII, but that's it). What auth providers do is a way to force delete a session (an authentication token, which typically expires quickly, but could be forcibly expired). This is optional, and in no way would force any deletion on the third party (it is the user who should use the third party's account deletion procedures).

Just because Google does something one way, doesn't mean that we want to do it that way. We are allowed to treat our users better than Google treat their tracking-victims for example, and would like to 

stick to that level.

    I used Google as an example. You came back with an unrelated, Google rant (????).

You are correct, my apologies. That was terrible phraising.

    Thank you.

So what I meant to highlight was: you use Google as an example of a free authentication provider. That is not correct -- you pay to use google authentication by feeding google tracking data about your users. The same goes for any of the other examples of other authentication providers mentioned. It is not wrong to label them authentication providers, but it *is* wrong in this context to label them as free.

    Precisely because I know there is people that think like you --I don't completely agree with you here, but this is irrelevant-- that I want to provide users of PostgreSQL services with PostgreSQL Community authentication. Because that's something they may trust more than these third party providers. But apparently nobody wants to change anything, so PostgreSQL users are left with only these options that you don't like.

Oh, and as a general rule, "requesting" unpaid volunteers to do work for you for free is in general not a great way to get them enthusiastic about helping out.

    Did I do so? I don't recall where or when I said that.

Your own words, in the text above:
". What I'm requesting access to is a system for third-party authentication, similar to "login with Google" or any other auth provider."

How is that not "requesting", when you use that very word?

    It is, of course. But I am no one to tell pg-infra team what or when they should do things, and I haven't done that. For now I'm asking for thoughts, and possibly help, but all doors have been closed.

    Rather, I said that if there are not enough volunteers or they are not paid, given that we have enough resources, they should get paid and/or create jobs to fulfill these jobs (not only (or not even) for authentication, but many others).

> >> - Either volunteers, due to being unpaid, are not doing their job
> >> correctly (completely);
> > tbh as one of those volunteers, I kinda find it pretty irritating that
> > that the very first time somebody asks for community auth being opened
> > to non-pginfra managed sites an association of "us" not doing our job
> > correctly comes up just because that feature does not (and/or is not
> > implemented in the way you want it) do like.

>      TBQH, I'm having a really hard time to understand how this
> conclusion could be derived from my words. But it doesn't matter, it's 
> my bad anyway if I made you, or anyone else, feel this way.

So you write "Either volunteers, due to being unpaid, are not doing their job correctly (completely);" 

-- but we're not supposed to read that as the volunteers not doing their job?

    Did you read my apology? I used a wrong language, maybe due to not being a native English speaker, or whatever reason, but what you are all understanding is not what I meant. I wrote a lengthy paragraph explaining what I really wanted to say and apologizing for the confusion.

    Why are you cherry-picking again, back in history, on this topic? I made my point very clear already. If you need me to apologize again for what I didn't mean to mean, I will do happily. But I expected that would be enough clarification of the misunderstanding.

    PostgreSQL *has* financial resources that remain unused, and there's lack of hands. Let's put these resources, mostly coming to donations, to good use!

Is there anything you write that actually means what it says? Because it's really hard to understand what you mean if you write them using words that mean other things.

This is the second time it's literally in the very text you quote and then deny having said.

    That's your opinion, I can only respect it, but disagree with it. Besides, I don't think this comment is constructive.

> * you didn't read it (in which case, please do);

You should maybe try that yourself? At least read the  parts that you wrote yourself?

    What haven't I read? I said that because I offered and apology and Dave removed it and responded to the part that was *fixed* by the apology.

> * or you are acting in bad faith, by replying to the first sentence only, and deleting the following paragraph. 

Yes, I did cut intentionally in this email, just like Dave did. I don't know why he did it, but it should be clear why I did it.

    It's not a problem cutting parts of an email. It is a problem to cut an apology and respond to the phrase above it, as it removes all the following context, when the apology refers to that phrase, and actually and completely changes its meaning.

So you are basically repeatedly accusing the pginfra volunteers of not doing a proper job.

    This is an statement which I cannot tolerate. It is unacceptable that you say this after my apology. I beg you to correct this statement, this is inappropriate and unacceptable coming from a Core Member.

Then you are accusing a core team member of acting in  bad faith.

    And I believe that you accusing me again of accusing the pginfra volunteers is also bad faith.

    I cannot understand all this backslash against. I offered a very honest and sincere apology over some words which I believe were misunderstood.

    I will say it again, even though I don't understand why it is necessary:

*To all pg-infra volunteers, and all volunteers of the PostgreSQL Community (considering myself also included): I really appreciate all your work. All the work that you have done in the past, all the work being done in the present, and even the work that will be done in the future. Your work is invaluable. I am fully committed to support and help as much as possible. The PostgreSQL software, all of its ecosystem, and all the community around are simply amazing.* Plus, I have no authority to request anyone to do any work. If I have said that some work needs to be done, it is just my opinion on what I believe could be a good thing to do. Please do not look any further than this.

    Now, if there are not enough hands, and there are financial resources, I propose, again, to use them for the best uses possible. That may include helping the pg-infra team if necessary.

So yeah, I think it's time to close this thread out.

>   I believe this argument of "send patches if you want anything to change" is pretty limited in its vision. Because there are many other ways, many of which may be much more efficient to achieve the same result.

It might be limiting. But it's how the entire PostgreSQL project has worked through all time. If you want something done, you either do it yourself or you convince somebody else to do it.

    When something "has always worked like this", it doesn't mean it is still the best way to do it. I'm only saying there are more ways, and I propose to evaluate them. But ears closed, nothing wants to be changed or even considered. Let's just keep everything as it is, no progress, no improvement, not even (constructive) discussion.

And accusing others of not doing their job has never been a way to accomplish that.

    Please refer to my words above and my, again, clarification. You are taking this way too far.

   

>    Why? Can you elaborate? Is there any place where I can find this technical details, given that it is so hard to get any more detailed response on this email thread?

In the very first response on this thread, Jonathan sent you the link to the documentation *and source code* for the system. If that's not technical enough, then what you actually want? I can send you a precompiled bytecode file?

    Maybe a summary, context, a 2 or 5 or 10 bullets explaining what needs to be changed?

    Surely I can dig the source code, but maybe that 10 minute effort (you all already spent way more time on this thread) would save hours. I don't think it's something so huge to ask for.

>   ... while not changing the substance of it: pg-infra is:

> * Providing hosting services to entities like the PostgreSQL Europe Association.
> * Providing login service to entities like the PostgreSQL Europe Association.
> * Probably other services, and to other entities.
> * Not willing to provide the above services to any other entity.
>     This is creating a differentiation (through discrimination) and exclusiveness that nobody here is addressing but me. Don't you see it? I understand how things came this way, and I'm fine with this. But once this is identified, this needs to be resolved.

Except you have explicitly *rejected* the offer of being hosted on pginfra. It was offered, and you said no. Surely that is not *our* fault.

There is nothing preventing you from hosting your service on pginfra under the same terms as anybody else. But you didn't *want* that.

    Can you please share what are those terms? Are they public? Are they open to anyone? Can really any entity host any service within pginfra? Please let me know, I'm very interested indeed. Thank you.

In summary:

You wrote:

>    postgresqlco.nf is a free service, developed and run by OnGres. I don't think is a good fit to run on a non-profit entity's infrastructure. Is PostgreSQL infra providing hosting services for companies?

And you are absolutely correct. PostgreSQL infra is not providing hosting services for companies.

So why should we build and maintain an authentication service for companies?

    What I want is a fair ecosystem and an inclusive Community. There are at least two services (surely more) that are provided, so far, to only some entities: infrastructure and postgresql.org login. *If* they are provided to some, I truly believe they should be provided to the whole Community, regardless of whether they are NPOs or companies or whomever, under the same terms. That is an inclusive Community, that's an Open Community.

    Regardless of this: I believe the postgresql.org login is something that may benefit the Community as a whole, and the more they use it (whatever kind of entity it would be) it would be a good thing. This is all that I wanted to accomplish here.

This thread is clearly not getting anywhere. Let's close it here.

I would suggest you proceed down one of two paths:

1. Provide an actual complete proposal *including the code to implement it*, which also outlines the requirements to support the system long-term, for something based on the current community authentication. This has repeatedly been requested. You don't like this option, so that's fine.

2. Build out a working authentication service that solves this problem, under a different umbrella. Once you have a proven solution for it, you will have a much easier time convincing people of using it, instead of just requesting other people to the work. I would *love* for pginfra not to have to have to deal with the user service parts of handling it for example. Anything that solves that part would be *much* appreciated, and it would be an actual *improvement* over what is there today.

    I'm OK closing the thread here. I believe the path should be different, though: the PostgreSQL Community (I guess, Core) should decide on what services are provided to the Community and rule out (if they aren't) under which terms they are provided. Leaning on the "the more open, the better" side, IMHO, and without creating privileged positions.


    Regards,

    Álvaro

-- 

Alvaro Hernandez


-----------
OnGres