[Mageia-sysadm] [RPM] cauldron core/release tagtool-0.12.3-2.mga1

Michael Scherer misc at zarb.org
Thu Mar 3 21:46:39 CET 2011 

Le jeudi 03 mars 2011 à 18:17 +0100, nicolas vigier a écrit :
> On Thu, 03 Mar 2011, Michael Scherer wrote:

> > > I think that's not a problem here. We're not checking ID of people who
> > > create accounts, so they can use the name they want to be called.
> > 
> > Not yet. What about the day someone will propose to use gpg and the web
> > of trust ( who is currently based on checking ID card ) for some stuff ?
> 
> If we decide one day that we require signed gpg key, then we can discuss
> that day the details of what kind of signatures we require. Today we
> don't require anything like this. But it's possible to sign key without
> checking ID card. GPG signature doesn't necessarily mean "this personn
> has this official name", it can also mean "this is the real owner of
> this email, and owner of this non-official name".

That's why I said "what if we use gpg _and_ the web of trust". Of
course, gpg alone do not requires this. The current system of web of
trust does.

So while we do not do now, I wanted to highlight this would be something
to keep in mind.

> > Problem is asking for Last name/First name.
> > 
> > Identity.m.o  will be used almost everywhere, like for example on the
> > forum. 
> > 
> > Some people may find invasive to give Last name/First name especially
> > for posting on a forum when compared to all others ( I checked several
> > french forums, none requires giving anything except a email and a
> > login ). 
> 
> Many forums require a username, and a display name. 

I gave examples of those that do not requires anything when being
subscribed ( and later ), so I would appreciate that you give at least
one example ( cause all I tested didn't seems to mandate this on
registering ). 

Likely all of them propose to have a display name, none do requires it
( ie, using login is fine, not filling the vcard is fine too ).

> If you open an
> account on linuxfr for instance, you need to enter a login name, and a
> full name (which doesn't have to be your real name). 

Sorry to contradict you, but that's not required when subscribing :
https://linuxfr.org/compte/inscription

( note that maybe this changed for the new version 2 weeks ago )

You can set a display name later ( and yes, the new interface now ask
for "first name/last name", I do not remind the old one ), but IIRC you
do not need to set it. That's the whole point, you are not forced ( or
at least, it was like this before ).

On our web site, we do not explain much ( FAQ is not written yet,
privacy policy is a draft ), and we ask for 2 specific informations that
everybody will consider personal ( last name, first name ) to guess a
3rd one instead of simply asking the 3rd one ( display name ).


> And I think most
> people on linuxfr don't use their real name, and they see no problem
> being asked a full name. On almost all websites I know where users can
> post messages, they are asked both a login name (which is sometime the
> same as the email) and a display name.

The point is not "we should not let people use a display name", but "we
should not require last name and first name to create the display name".
 
A display name is not the same as last name/first name. I do not know
how can I explain this more clearly :/

"The great gatsby" is a display name, but not a tuple (last name, first
name).
"Jay Gatsby" is a display name and a tuple (last name, first name).


> Even when you setup an email account, most email software will ask you
> to enter a full name. If sending an email without a full name, I think
> I remember that spamassassin will flag it as spam.

I guess this changed, because I checked my spam folder
, found 1 mail without anything in from except the mail, and here are
the check : 
X-Spam-Status: Yes, score=11.3 required=5.0
 tests=BAYES_99,
 DNS_FROM_RFC_DSN,
 HTML_MESSAGE,
 HTML_TITLE_SUBJ_DIFF,
 MIME_HTML_ONLY,
 PYZOR_CHECK,
 RCVD_IN_BL_SPAMCOP_NET,
 RDNS_NONE 

None of theses checks relate to From headers. 

> > 
> > So either we care about having this information ( for example for legal
> > reasons ) and in this case, this must be clearly explained, and then we
> > may have to be more stringent depending on requirements. In this case,
> > we cannot say "you can enter what you want".
> > 
> > Or we do not care about the personal information, then it should also be
> > clear. And I see no clearer way to say "this is not required" that not
> > requiring it upon creation of the account.
> 
> The problem is that many software, like bugzilla, forums, or rpm changelogs
> require a login name (only one word without spaces) or email, and a
> display name. 

I never said "display name is not fine". Just that we currently do not
ask clearly for it, because a display name is slightly different from
"last name" / "first name". 

Simply because there is 2 entries, and just one for a display name, so
most people will not make the connexion. Granted, most will give the
information without thinking, some will not, some will prefer to not
register at all.
 
> I see no use to waste time to patch all those software to
> add a special case (adding more complexity and more bugs) for the user
> who doesn't want to set any display name, when a simple solution is to
> simply set a name that is not your real name, if you want to hide your
> real name.  

Well, then we can simply say what I proposed : 
- do not ask for last name/first name when we want something to
display. 

( unless that's required for technical reasons, in which case we should
clearly tell this, and looking at ldap schema, I fear this is the
case :/ )

We want people to be able to use display name because that's what
matter, and to change it, so let's just use that. If the rest is not
used, then we can simply not ask.

> > 
> > IMHO, we should not adopt the sloppy practice of others websites of
> > saying so mandatory when this is not.
> 
> It is not a "sloppy practice". It is that a login name is not very nice
> to display, so a full name is asked.  

The sloppy practice is to ask for personal informations and say they are
required, when :
1) they are not what we want ( ie, we want a name to display and we may
not care about the rest, yet this is not what most people will infer
from the web site )
2) they are not strictly required ( ie, it would work fine without it on
most web applications, it is just less pretty, that's hardly what I
would call a requirement ) 

> > 
> > Telling to users to workaround this by giving incorrect information do
> > not seems like a very good way to show we care about people. 
> 
> It is not giving incorrect information, it is giving the name the user
> wants to be called.

Then as I said, this should be clearly said. For now, this is not. Look
again at the website : https://identity-trunk.mageia.org/register

I see no obvious mention that this will be used for displaying anywhere,
nor the way it will be used and displayed. 

Moreover we cannot correctly infer the way people want to have it
displayed in all cases since some people would prefer "michael scherer"
and some "scherer michael" ( for example, chinese do put family name
first http://en.wikipedia.org/wiki/Chinese_given_name , and afaik, we
don't in france ). Or some would prefer to add Dr, PHD, etc.

So the way we do is not flexible enough.

So here is my proposal :
Just ask for :
- login, 
- email, 
- display name

And if display name is not filled, just use login.

There is no invasive changes on applications ( or at least, none that we
didn't agreed to do in the past, cf
https://www.mageia.org/pipermail/mageia-sysadm/2010-November/000963.html ), the only big issue is that ldap types requires sn/cn. 

But since nothing use the information yet ( IIRC ), we can either fill
this with login ( ie sn=login, cn=login ), and let people decide to put
what they want if they want later. Or we can tweak ldap to not ask for
this ( slightly more complex, but Buchan spoke of this ).

-- 
Michael Scherer

More information about the Mageia-sysadm mailing list