Namespacing on Crates.io

soc · 2018-10-21T00:44:46.604Z

bascule:

the method you’re describing requires a lot of backend sysadmin

bascule:

I would personally prefer the point-and-click experience.

The approach I described takes literally 3 seconds using your own preferred “IdP”:

orgs.gif750×298 169 KB

As you see, it comes with “a point-and-click experience with strong authentication (e.g. U2F) and active monitoring for suspicious activity”.

The difference with this approach is that developers can make their own decisions and pick whatever proprietary “IdP” they prefer, including none at all (and use their own domain).

bascule · 2018-10-21T05:56:37.443Z

soc:

As you see, it comes with “a point-and-click experience with strong authentication (e.g. U2F) and active monitoring for suspicious activity”.

While I’m sure this is all wonderfully intuitive to you, I would not consider that a good user experience for what is fundamentally an access control management tool.

You’re also kind of missing the point re: “active monitoring for suspicious activity”. The kind of interesting authentication and access change events that GitHub monitors for in its own account system are oblivious to changes you’re making in a text file…

soc · 2018-10-21T07:15:58.888Z

At the point were a malicious user has circumvented “active monitoring for suspicious activity” to log into a victim’s account you are in pretty bad shape security-wise anyway.

lzutao · 2019-01-23T05:36:01.128Z

Docker is an example here. They use namespace for any docker images. So it would be nice if Crates.io does the same thing.