[sldev] Viewer Auth Postponed

[Kelly Linden]

Argent Stonecutter wrote:
> First, let me note that I'm not talking about maintaining the 
> network-level login code indefinitely, just the XUI login page.
>
> On 2008-01-11, at 13:04, Kelly Linden wrote:
>> Just because you can doesn't mean you should.  Maintaining this 
>> indefinitely would mean more code to maintain which is a Bad Thing.
>
> True, but on the other hand the new login path requires a lot more 
> code than the old login path, because it puts gecko in the critical 
> path for login. Maintaining the XUI login page makes gecko optional. 
> This has a number of advantages.
>
> * It reduces the amount of code in the critical path.
No, it "doubles" it (give or take).  The next time there is a bug or new 
feature or any change that effects the login process it will need to be 
made in two places instead of one.
>
> * It reduces the impact of problems in the very large amount of code 
> associated with gecko. Customers who can't login at all tend to be a 
> lot more upset than customers who can't use search and help and web 
> tabs in profiles.
I did say it should be one path that *works*.  It it might not work then 
we should not use it.  If we can't get the gecko/web version of user 
login to just work 100% of the time for everyone (give or take a 
standard margin of error) then we should not use that path at all and 
the one true path should be XUI.
>
> * It allows a greater degree of control over the environment when 
> trying to debug problems. You can eliminate a whole class of problems.
I disagree.   It approximately squares the complexity of debugging any 
problem that arises in either path, and in any code *near* those paths.  
You eliminate a class of problems by eliminating the extra code and only 
having one path.
>
> * It improves viewer security.
No, every line of code increases the chance of a security problem.  
Reducing the lines of code and the number of paths possible is probably 
the single greatest thing we could do to our codebase to increase 
security.  And stability.  And reliability.  And performance.
>
> If anything, I strongly believe the XUI login page should be retained 
> and the HTML login page eliminated. It's obviously your call and not 
> mine, but I would like you to consider it.
I don't necessarily disagree with this, but the HTML login does have its 
advantages and if it can be made to just work then it could be a viable 
solution.

 - Kelly