Re: 2020 Authentication Initiativ

[Barnaby]

If we go to the most common use case, email + password is the current 
"default" of the web, rather than username + password. It would make sense 
for Django to use email + password by default.

It also feels like first_name and last_name have no place in AbstractUser 
and should me moved to NamedAbstractUser or something.

So we'd remove username, first_name and last_name by default.

Regarding other means of authentication, I don't know if Django should 
support any out-of-the-box. Magic Links could be a decent default but they 
do raise security issues and require email setup.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/2ec07906-8a2a-4b63-a850-99e8fef95b5a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: Google "Season of Docs"

[William Hakizimana]

Just out of curiosity, I was wondering if we got any traction on this.

On Monday, March 18, 2019 at 5:27:47 AM UTC-5, Carlton Gibson wrote:
>
> Hi all, 
>
> Parallel to GSoC, Google now have this "Season of Docs" programme: 
>
> https://developers.google.com/season-of-docs/
>
> The idea is experienced technical writers can get funding to work with 
> open source projects on their docs. 
>
> There are a lot of open Documentation issues 
> 
> . 
>
> As such if you have, or if you know someone with, strong writing skills 
> and you 
> (they) might be interested here let me know and we can look into this. 
>
> I can't quite work out whether if we just apply we might attract a writer, 
> but it would be 
> awesome if already someone in the community was keen for this.
>
> Thanks. 
>
> Kind Regards,
>
> Carlton
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/4fc398b3-151f-49fc-8279-9b2f300aa348%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: 2020 Authentication Initiativ

[Florian Apolloner]

Hi Joe,

uff you are bringing up a hard topic :) Yes I absolutely would like Django 
to have better support for WebAuth (u2f-like tokens at least), and probably 
another one or two (I'd keep the scope for support in Django small though 
once we know that the API works).

Getting this actually implemented might be a different story though. I am 
imaging quite a bit of work and effort. I think a first step would be to 
spec required features out a bit and then start working on a DEP. Probably 
raise some money along the way, because I imagine this to be a rather big 
project -- but the support is certainly there!

Cheers,
Florian

On Friday, April 5, 2019 at 1:17:31 PM UTC+2, Johannes Hoppe wrote:
>
> Hi there,
>
> I wanted to start a longer discussion on authentication. I have been 
> looked a lot into alternative Django authentication backends, to see what 
> ideas people have come up with. Sadly, I also discovered may security 
> issues while reviewing some prominent packages. Anyhow, Django started out 
> with username and password, which for the time being was a good idea I 
> guess. Looking forward, I believe it is a good time to reevaluate that 
> concept for the decade to come.
>
> There have been plenty new developments, 2FA, OAUTH2, SAML, OpenId 
> (connect), OTP and the list goes on. Many of them even made it into proper 
> standards and have been adopted in soft- and hardware.
>
> I think to get the discussion into the right direction, we first need to 
> figure out, what Django is supposed to provide.
>
> IMHO Django should provide a secure and simple (for developers) out of the 
> box solution. That allows anyone who doesn't hold a Phd in crypto science 
> to build a secure web service.
> As anything in Django, it should be extendable or swappable for more 
> advanced use cases and there should be plenty well written documentation on 
> how to do that securely.
>
> With that idea in mind, I see a personal problem with password. Passwords 
> have been proven to not be secure, mostly because people are using it 
> wrong. 123456 is still the most commonly used password. So it is not 
> strange to me, that everyone is looking for different authentication 
> methods and developers use different authentication backends. I actually 
> haven't used Django password authentication in the last 5 years and there 
> are other like me, I presume. Out of that demand people even started 
> building their own authentication backends. This is the point where I 
> wished everyone had a Phd in crypto science. Bottom line, you end up with 
> many unsecure services. The very thing Django should be good at, by my 
> definition earlier on.
>
> Anyhow, I am curious what your thoughts on this matter are. Mainly what 
> you believe Django's place in all this is and how this could be implemented.
>
> Best
> -Joe
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/a34ba83c-d52b-4755-b6ea-afc3ac82c5da%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: 2020 Authentication Initiativ

[Collin Anderson]

Email + password auth is definitely a wanted feature out-of the box, and
probably a good first step would be to create a separate AbstractEmailUser
or something like that. Seems to me AbstractUser shouldn't be changed for
backwards compatibility reasons, but maybe something like a
BaseAbstractUser would be helpful?

And here's a past discussion and ticket (from 5 years ago):
https://groups.google.com/d/topic/django-developers/7feYlp9HqKs/discussion
https://code.djangoproject.com/ticket/20824

Also related: UserCreationForm by default allows usernames that differ only
by case
https://code.djangoproject.com/ticket/25617

On Wed, Apr 10, 2019 at 7:12 AM Barnaby  wrote:

> If we go to the most common use case, email + password is the current
> "default" of the web, rather than username + password. It would make sense
> for Django to use email + password by default.
>
> It also feels like first_name and last_name have no place in AbstractUser
> and should me moved to NamedAbstractUser or something.
>
> So we'd remove username, first_name and last_name by default.
>
> Regarding other means of authentication, I don't know if Django should
> support any out-of-the-box. Magic Links could be a decent default but they
> do raise security issues and require email setup.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/2ec07906-8a2a-4b63-a850-99e8fef95b5a%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAFO84S5ki%3DtuPCZyXf2e_%2Bq%3D7V8Q1a6RX3EJycx51BodwnJZBA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Google "Season of Docs"

[Carlton Gibson]

Hi William.

A few people have shown interest so I will apply as an org for us. Then
candidates can apply. (I’m hopeful we could get multiple slots but it’s a
new programme so I don’t really know.)

C.

On Wed, 10 Apr 2019 at 21:03, William Hakizimana 
wrote:

> Just out of curiosity, I was wondering if we got any traction on this.
>
> On Monday, March 18, 2019 at 5:27:47 AM UTC-5, Carlton Gibson wrote:
>>
>> Hi all,
>>
>> Parallel to GSoC, Google now have this "Season of Docs" programme:
>>
>> https://developers.google.com/season-of-docs/
>>
>> The idea is experienced technical writers can get funding to work with
>> open source projects on their docs.
>>
>> There are a lot of open Documentation issues
>> 
>> .
>>
>> As such if you have, or if you know someone with, strong writing skills
>> and you
>> (they) might be interested here let me know and we can look into this.
>>
>> I can't quite work out whether if we just apply we might attract a
>> writer, but it would be
>> awesome if already someone in the community was keen for this.
>>
>> Thanks.
>>
>> Kind Regards,
>>
>> Carlton
>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/4fc398b3-151f-49fc-8279-9b2f300aa348%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAJwKpySz6iPOnpJFYdyrOMYaT76Zpd1-VXBY98xkjG2s9w90eQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Google "Season of Docs"

[Asif Saif Uddin]

Was looking into the docs issues and suddenly this come!!

On Thursday, April 11, 2019 at 12:08:27 PM UTC+6, Carlton Gibson wrote:
>
> Hi William. 
>
> A few people have shown interest so I will apply as an org for us. Then 
> candidates can apply. (I’m hopeful we could get multiple slots but it’s a 
> new programme so I don’t really know.)
>
> C.
>
> On Wed, 10 Apr 2019 at 21:03, William Hakizimana  > wrote:
>
>> Just out of curiosity, I was wondering if we got any traction on this.
>>
>> On Monday, March 18, 2019 at 5:27:47 AM UTC-5, Carlton Gibson wrote:
>>>
>>> Hi all, 
>>>
>>> Parallel to GSoC, Google now have this "Season of Docs" programme: 
>>>
>>> https://developers.google.com/season-of-docs/
>>>
>>> The idea is experienced technical writers can get funding to work with 
>>> open source projects on their docs. 
>>>
>>> There are a lot of open Documentation issues 
>>> 
>>> . 
>>>
>>> As such if you have, or if you know someone with, strong writing skills 
>>> and you 
>>> (they) might be interested here let me know and we can look into this. 
>>>
>>> I can't quite work out whether if we just apply we might attract a 
>>> writer, but it would be 
>>> awesome if already someone in the community was keen for this.
>>>
>>> Thanks. 
>>>
>>> Kind Regards,
>>>
>>> Carlton
>>>
>>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Django developers (Contributions to Django itself)" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to django-d...@googlegroups.com .
>> To post to this group, send email to django-d...@googlegroups.com 
>> .
>> Visit this group at https://groups.google.com/group/django-developers.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/django-developers/4fc398b3-151f-49fc-8279-9b2f300aa348%40googlegroups.com
>>  
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/c070358d-f7b8-44c5-a114-c40a0529e39d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.