Monday, March 18, 2024
dev@conference.yunohost.org
March
Mon Tue Wed Thu Fri Sat Sun
        1
 2
 3
4
 5
 6
 7 8 9
 10
11
 12
 13
 14
 15
 16
 17
18
 19
 20
 21
 22
 23
 24
25
 26
 27
 28
 29
 30
 31
             

[01:46:49] <Yunohost Git/Infra notifications> Autoupdater just ran, here are the results:
- 59 pending update PRs
- 10 new apps PRs
- 5 failed apps updates: dokuwiki, elasticsearch8, focalboard, tvheadend, vikunja
See the full log here: http://paste.yunohost.org/raw/wadanozepe
[04:40:12] <Émy - OniriCorpe> https://mastodon.social/@glyph/112114506390508586
[18:18:58] <Yunohost Git/Infra notifications> [webhooks] @Psycojoker pushed 1 commit to master: feat: handle pull_request assigned action ([5318ee44](https://github.com/YunoHost/webhooks/commit/5318ee44343898b41d30eaa903a1a2798306d9cd))
[18:20:26] <Bram> in case you are wondering: those kind of warnings are actually pretty easy to fix
[18:20:27] <Bram> https://aria.im/_matrix/media/v1/download/matrix.org/ljKBCWJKzXJDolqPMZbCHSKx
[18:20:34] <Bram> see https://github.com/YunoHost/webhooks/commit/5318ee44343898b41d30eaa903a1a2798306d9cd
[21:18:38] <orhtej2> If I think some insides of SSO working are questionable should I ask here or report via security issues reporting channel? Perhaps it's working as intended and i'm just paranoid
[21:24:47] <orhtej2> > If I think some insides of SSO working are questionable should I ask here or report via security issues reporting channel? Perhaps it's working as intended and i'm just paranoid

¯\_(ツ)_/¯ ah it's a well known behaviour
[21:24:55] <Bram> which behavior?
[21:28:01] <orhtej2> > <@Bram_:matrix.org> which behavior?

the one where Authorization header contains plaintext password
[21:28:28] <Bram> > the one where Authorization header contains plaintext password

ah yes that's one old behavior for the applications, it's only between SSO and the apps
[21:28:57] <Bram> it's not great but most applications aren't ready for SSO v_v
[21:32:17] <Émy - OniriCorpe> > the one where Authorization header contains plaintext password

standard practices \\:D/
[21:32:39] <orhtej2> > <@oniricorpe:im.emelyne.eu> standard practices \\:D/

#YoloHost
[21:34:45] <Émy - OniriCorpe> it's not plaintext if it's base64 encrypted 😌 /s
[21:35:30] <Bram> I'm pretty sure there are a lot of way to do this thing better but heh, the workforce is very limitated
[21:36:11] <Bram> and the work is ridiculously gigantic (on yunohost in general)
[21:39:03] <orhtej2> we should move towards promoting Dex or LDAP?
[21:39:06] <orhtej2> (right after packaging v2 is done)
[21:39:08] <orhtej2> (and YNH 12)
[21:39:13] <orhtej2> (and packaging v3)
[21:39:16] <Émy - OniriCorpe> i think the user expectations are much more ridiculously gigantic than the actual work needed on yunohost itself
[21:40:15] <orhtej2> nevertheless I agree, I was able to snoop said headers when I injected 'malicious' service to debug wtf Piped is complaining about
[21:40:17] <Émy - OniriCorpe> > we should move towards promoting Dex or LDAP?

neeeh, i'm not fan of an app like Dex for yunohost
it's fine to work around, but not very much
[21:40:19] <orhtej2> so as a malicious admin I can....
[21:40:44] <Bram> as a malicous admin you can pretty much fuck everything up
[21:40:50] <orhtej2> ^ that's the joke
[21:41:00] <Bram> ah, it was a joke '^'
[21:41:22] <Émy - OniriCorpe> > <@oniricorpe:im.emelyne.eu> neeeh, i'm not fan of an app like Dex for yunohost
> it's fine to work around, but not very much

i mean, i'm not to promote something like Dex as yunohost
but if people are using Dex on their own, it's fine
[21:41:38] <orhtej2> > <@oniricorpe:im.emelyne.eu> neeeh, i'm not fan of an app like Dex for yunohost
> it's fine to work around, but not very much

WDYM? It's a nice OAuth2/SSOWat bridge? Unless I don't understand?
[21:44:06] <Émy - OniriCorpe> > WDYM? It's a nice OAuth2/SSOWat bridge? Unless I don't understand?

because:
- my previous message
- it's an app to compile, it's independent of yunohost and if it fails, it'll be our fault
- promoting it will mean that we'll have to transition to our own implementation the day we do, i prefer to say nothing and let people tinkering
[21:45:55] <Émy - OniriCorpe> i would be MUCH more in favor to:
- implement OIDC in ynh in the looooong term
- use https://yaal.coop/blog/en/canaille-nlnet-pytest-iam
[21:46:28] <Émy - OniriCorpe> so yeah, i see dex as a great workaround tool, not more
[21:50:25] <orhtej2> oh they're no longer selling XKCD 'Opinions!' stickers :/
[21:50:37] <Émy - OniriCorpe> > <@oniricorpe:im.emelyne.eu> i would be MUCH more in favor to:
> - implement OIDC in ynh in the looooong term
> - use https://yaal.coop/blog/en/canaille-nlnet-pytest-iam

- "acknowledge that some apps aren't compatible with yunohost (for technical or ethical reasons) and forcing them to fit the mold isn't a good idea" aka "if the app doesn't support LDAP but OIDC, too bad" cf https://github.com/YunoHost/issues/issues/2357
[23:01:51] <Aleks (he/him/il/lui)> > the one where Authorization header contains plaintext password

there's some improvement on that in bookworm, though i was hoping to make "not sending the password" the default, but turns out several apps do need it