October 12th, 2010
Note: If you never used an “@drupal.org” login to a site then you can gleefully ignore this post. It was a feature launched long ago and not widely used.
It’s been a long time coming, but we are now approaching the point where the old “distributed authentication” mechanism will be turned off on drupal.org.
For a while, the distributed authentication method was a great idea. Sites like spreadfirefox.com used the distributed authentication and it helped spread awareness of Drupal. It was an early idea for identity and federated websites and distributed social and all those fancy buzzwords.
But while the concept might have been visionary the implementation was not. It is not a super secure architecture, as perhaps the biggest complaint.
So, we will turn it off on drupal.org on November 1st, 2010.
Goodbye legacy, hello new hotness
If your site allows logins like “email@example.com” then you should know that it will be turned off soon. Users will still be able to login with that account and the password they last used. But there could be some scenarios where they get locked out. Even worse, if they never updated their account then their mail will not be stored in your database so they cannot use the “self-service” password retrieval system.
If you want to use something similar, consider using OpenID module that’s in Drupal core these days. It allows federated logins without all the architectural security problems.
If you relied on this service
Site owners who relied on this service should…
- Get people to enter their e-mail on their profiles
- Alert people that the connection to drupal.org is going away and their passwords will no longer stay in synch.