[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Fedoracommunity.org index page



On 09/10/2009 06:49 AM, Max Spevack wrote:
> On Thu, 10 Sep 2009, Mel Chua wrote:
> 
>> 2. https://admin.fedoraproject.org/community/, a site that helps keep
>> track of who is packaging what, and what state those packages are in.
> 
> Whether on purpose or simply because there is a need to differentiate,
> most people refer to this as the Fedora Community Portal, at least that
> I've seen.
> 
<nod>  -- I think Fedora Portal would be one way to rename this if
that's the way we end up going.

> Maybe it should have its own domain name, as opposed to what is
> currently a pretty convoluted domain name for what is a really awesome
> webapp?
> 
There's actually some technical reasons, and one social reason to keep
the app on admin.fp.o.  Due to the same origin policy[1]_ in web
browsers (a very important piece of browser security), information can't
be shared across hosts.  So things like single sign-on between Fedora
Community Portal and Bodhi, packagedb, etc would not work.  Currently
this isn't a big issue as we're taking the username and password on the
Portal page if we don't have an authentication cookie and proxying it to
the other web apps to generate a cookie.  But it will be a showstopper
if we move to SSL certificates or another means of authenticating users
as we can't proxy those.

This doesn't mean we can't have something like
https://community.fedoraproject.org that's a redirect to
https://admin.fedoraproject.org/community but it would only be a
redirect.  The browser won't send authentication tokens to
community.fedoraproject.org that came from admin.fedoraproject.org.

The social reason is that we do not want to get people used to giving
their Fedora username and password to third party sites.  Right now you
should only be putting your Fedora username and password pair into
fedoraproject.org domains.  If we had something like fedoracommunity.org
go to The Fedora Community Portal, people would need to put their
username and password in there as well.  And from there, how are they to
know that fedorafriends.org, fedorasolved.org, fedora.org,
fedoraharvestpasswords.org are legitimate or illegitimate sites?

.. _[1]:
http://en.wikipedia.org/wiki/Same_origin_policy#Origin_determination_rules

>> 3. http://fedoracommunity.org, the top-level domain for a few (only 2
>> so far, it sounds like) local group homepages (such as
>> http://ph.fedoracommunity.org/ for the Philippines).
>> http://fedoracommunity.org itself is not up and running, but was
>> supposed to be a directory for all such homepages.
> 
> Given what we use *.fedoracommunity.org for, the main index page of
> fedoracommunity.org should (ignoring all design options) make it easy
> for people to find out what all the subdomains are, right?
> 
That seems to be where this thread started off (n websites list) and I
agree with it.  I had to go find the DNS records we're serving to find
out that ph.fc.o and bd.fc.o were the active domains.  An index page
listing the sites would be much better.

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]