| 8 Mar 2024 |
 @adam:robins.wtf | * Yeah probably a bit, based on the moves since the soft fork and what forgejo has said about them. I’d be happy to be wrong and see gitea do amazing things. Unfortunately, I’d argue there’s enough examples in the past to suggest things won’t turn back toward community. | 00:07:21 |
 hexa | In reply to @raitobezarius:matrix.org
what if I send SAML support to Gitea tomorrow? looks for a simpler feature and doit 😄 | 00:15:40 |
| hexa | In reply to @raitobezarius:matrix.org
what if I send SAML support to Gitea tomorrow? * looks for a simpler feature and do it 😄 | 00:15:44 |
| hexa |
IP Allowlist: Control access to your repositories by specifying approved IP addresses.
| 00:16:03 |
| hexa | that sounds equally silly and simple | 00:16:08 |
 raitobezarius | https://github.com/go-gitea/gitea/pull/29403 I have a better answer | 16:46:49 |
| raitobezarius | Yes and it's the one used in Gitea Enterprise | 16:46:57 |
| hexa |
Yes, CommitGo is using this PR.
| 16:50:12 |
| hexa | lol | 16:50:13 |
| hexa | at least they're using their enterprise customers as guinea pigs ig | 16:50:36 |
| @adam:robins.wtf | So maybe they will accept them? Though if they have the patches privately it feels wrong that others may have to recreate the functionality. (Seems not to be this case) | 17:08:21 |
| hexa | anyway, who cares about SAML? Nobody. | 17:11:08 |
| raitobezarius | i want to roast you but i will prevent myself | 17:11:28 |
| raitobezarius | yes not everyone does not do authentication over an authorization RFC | 17:11:38 |
| hexa | universities do | 17:11:41 |
| raitobezarius | i much prefer saml to oauth2 | 17:12:01 |
| raitobezarius | * i much prefer saml to oauth2/oidc | 17:12:06 |
| hexa | lol what | 17:12:14 |
| hexa | https://joonas.fi/2021/08/saml-is-insecure-by-design/ | 17:12:24 |
| hexa | https://github.com/dexidp/dex/security/advisories/GHSA-m9hp-7r99-94h5 | 17:13:08 |
| hexa | https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7 | 17:13:22 |
| hexa |
We should always guide people to use oauth2/oidc first, and then LDAP app passwords second, with SAML as an absolute last resort. If we end up in that situation, we may need to add it.
https://github.com/kanidm/kanidm/issues/2025#issue-1866005716
| 17:20:09 |
| hexa | don't trust me, trust firstyear 😄 | 17:20:14 |
| raitobezarius | i don't really do this sort of things, sorry | 17:59:12 |
| raitobezarius | In reply to @hexa:lossy.network
https://joonas.fi/2021/08/saml-is-insecure-by-design/ the link you mentioned conclude to the same thing though | 18:00:05 |
| raitobezarius | oauth2 is not an alternative | 18:00:08 |
| raitobezarius | so sure, i can just not use saml and use something that has not been built for authentication | 18:00:24 |
| raitobezarius | but yes I am very much well aware of all the XML malleability issues... :^). | 18:00:57 |
| raitobezarius | that doesn't change the fact there's no alternative to SAML and there's a sensible path to SAML implementation | 18:01:12 |
| raitobezarius | so maybe firstyear will expand his section on why SAML is bad and I hope it's not because people in the enterprise ecosystem doesn't know how to do canonical document formats | 18:02:01 |
