Why would anybody do this instead of being logged in with their PM credentials? You can keep your cookie alive forever.

They still need to create a Perlmonks user, right?

Personally, I'm wary of creating yet another maintenance treadmill to keep on top of whatever Google is up to, to keep this thing working.

If you always use the same devices, it would not be very useful, yes.

This would be a first step. Creating a user from a Google account would be a possibility for the future, with most of the harder parts already done. That said, if this is all that ever got done, would you object, or do you just have concerns?




--
A math joke: r = | |csc(θ)|+|sec(θ)| |-| |csc(θ)|-|sec(θ)| |

I'm wary of having to keep up with a third party and their changes to the account provisioning. If we allow creating users from Google accounts, the shadow accounts we create locally can always be switched back to "use password" once Google login breaks, but I'm not sure if/how Google users can then be reached.

If we can get the Google user email, they can always recover their password once authentication through Google breaks.

So, I don't think anymore that this will create a long-standing maintenance burden, as long as we all are OK with login through Google eventually breaking.

But if you're going to add in OAuth capabilities, then GitHub and other OAuth providers would be good as well -- GitLab, for example. I have a feeling that more monks would want to use GitHub or GitLab as the OAuth provider for logging in here rather that Google, or at least want that as an option when configuring multiple OAuth providers.

Dunno if we'd need a way for a user to clear those.

Definitely. Being able to disassociate an external login provider would be essential ("someone hacked my Google account, and I don't want them to be able to log in as me here")

OAuth is not actually an authentication protocol, though it is sometimes abused as such, with some issues as a result. OIDC is, and is built on top of OAuth. Sadly, looks like GitHub does not support OIDC, though gitlab does.

Additional identity providers could be added later, with the essential mechanisms being the same.




--
A math joke: r = | |csc(θ)|+|sec(θ)| |-| |csc(θ)|-|sec(θ)| |

Let's say that a google/facebook/ms/github account login is implemented for PM. And that it is on a voluntary basis. The PM login page will have some JS script from said conglomerate to be fetched to my machine and run on my browser in order to show the login-with-this-id popup. That entails cookies, images, fonts and a zillion ways of tracking me which can further link my PM activity to my other digital footprint which can make it super-easy for anyone to find what I am doing right now, what address I have, what mobile phone I have. Whether it has already been infected with Predator or when a good chance to infect it may be. So, even if I ignore the login-with-this-id popup some pretty good damage to my privacy is already done. An AdBlock is no bullet proof solution as said items mutate constantly.

There is more. Suppose I reply to someone who has logged in with the conglomerate's id. Obviously, they track that person much harder than me. But now, because of my interaction with that person I am at the crosshairs too. All my answers etc. will be processed by the conglomerate's algorithm whereas in the usual case I would have gone, hopefully, unnoticed by the algorithm although it, obviously, has the freedom to sieve through all my public posts at PM. The difference now is that something the algorithm saw that I wrote to that person may have tickled its twisted, perverted curiosity and got the apetite for more of me and sieve through whatever I wrote here and then subsequently elsewhere.

Sure, I have nothing to fear and would not mind a police search in my house. Add a urine test to that too. That said, these are weird times. Privacy is not worth a dime. Not even human life. In fact people are now being killed because this is what an algorithm decides. The algorithm is so evilly ruthless to not hesitate to ignore the presence of Children or even command to kill them deliberately if the gain, algebraically, is positive. And the algorithm is fed among other things with our digital footprint. Yep, there are States researching this. Some are even running it and killing with it.

No, please don't do it. The site is great in its LO-FI style which has a quality of its own. Even if a thousand people voluntear to code this feature, and for free. There is a place I know where the (useful) idiots running the local airport succumbed to such a good-willing, private company (an oxymoron, I know) to enhance the passenger experience with "new features" by installing their own antennas and routers for the passengers' wifi. It turns out that a lot of personal data, mobile phone numbers, photoshoots, number plates, travelling destinations has been collected and crosslinked, before the authorities "found out" about it and gave them a token fine and let them go to their country.

Google provides JS to make it easy and reduce the server side work, but it is optional and I would not use it. Re your point of interacting with conglomerate-tainted users, seems like that's a lost cause. People are going to be storing their passwords in conglomerate-provided browsers anyway.
--
A math joke: r = | |csc(θ)|+|sec(θ)| |-| |csc(θ)|-|sec(θ)| |

I like the idea. Certainly the status quo here is ... bad.

But before we go too far down this road, I believe we should find out what changes Everything2 has made in this regard, if any. I like the idea of consistency with them — as long as what they have is worth copying.

I like the idea

I too like the idea...

But - I feel it should be about number 342 on the ToDo List that we don't seem to have.

The questions that should be asked of any change are IMHO

• Will it encourage young programmers to adopt Perl as their language of choice?
• Will it improve the view of Perl to non-Perl programmers?
• Will it encourage more people to use the Monastery?

Google logins fail all three so it can only be classified as a "nice to have"

• Will it encourage more people to use the Monastery?

Bingo. We have lost a lot of users, including very valuable, high-level Perl experts, because of our abysmal security posture. Fixing it is actually our #1 priority. I just haven't done it because it's extremely complicated and I don't know how to do it.

Today's latest and greatest software contains tomorrow's zero day exploits.

How do you know that Google logins fail on the third point? I can imagine a new way to login would encourage people to join - there'd be less impedance if they already have a Google login.

And why do you think any Monastery change whatsoever would make a difference as far as the first two points go? Surely those are more down to Perl's own feature's vs other languages?

Logging in using Google credentials would only add to the complexity of this site, I think. And I hate when I visit a new website, and a little pop up shows up that says, "Hey, why don't you log in to this site as <my Google username> ?" I hate it. I always say, "Leave me alone, you stupid! I don't want to log in! I don't even know what this website is!" But if I learn what it is and I start using the website, I might log in. But even then, I prefer to create a separate username and password. I don't like to use my Google signin for everything. I have a separate username and password for Facebook, ebay, my web hosting, and everything. The only time I use Google signin is when all other attempts fail, and the site seems buggy and I can't create an account or can't log in with my existing username or password. So, people are going to have double accounts as a result of adding Google login option, because if they forget their regular password, then they will just log in using their Google credentials, and now you have a bunch of accounts which are double, and you'll not be able to track which one is connected to which. So, I don't know. I think, this is a bad idea.

If you want to fix something, then fix the site design. I'd say that's far higher priority than fixing the security. When I first started using this site, finding things was a nightmare (it still is sometimes even though I am at level 12 now). For example, there should be a "POST A QUESTION" button right in the middle of the landing page (front page) so you can't miss it, so when someone who has never been to this site comes here, he can immediately post a Perl question as anonymous and don't have to browse for 30 minutes to find the link. That'd be a great improvement. I'm talking about this link: https://perlmonks.com/?node=Seekers%20of%20Perl%20Wisdom#post

Yes and no. An account on this site can help you find your questions (and the answers thereto) easier, beauty is in the eyes of the beholder, and before posting you should search the site anyway … whether the question already has come up before. OTOH the I want to ask a question of the Perl Monks. Where do I start? FAQ could be linked more prominently, e.g. somewhere near the top of The Monastery Gates. My priorities regarding design vs. security are obviously different from yours, but at least part of your concerns seems reasonable to me.

I always say, "Leave me alone, you stupid! I don't want to log in! I don't even know what this website is!"

Hehe, I leave this job to ublock origin. And that's my answer to this thread. Except that loading google's JS script to create the login popup can compromise my privacy. And I don't like that one bit.

Update: I have revised my stance after thinking that no ad-blocker is 100% bullet proof, 100% of the times, and that this looks to me far more serious than I thought, here: Re: login with google account