So we have discussed this in the past before...

In order to add something to our fedoauth whitelist we want to be very sure that the application is controlled by us and in a secure setup.

Copr is of course controlled by us, but it's not in our normal internal/secure network, it's in our cloud. This cloud also hosts a bunch of other instances including things we don't run or know whats in them.

So, for that reason we want to probably keep this confirmation for now.

We are going to be moving to a new authentication setup using ipsilon pretty soon, we could revist this again then or at least make the confirmation more clear as to what is going on.

Honeslty, I do not really understand the problem. What are the risks? In the worst case a 'bad actor' can get FAS nick, 'real name', and e-mail to the service, is that right? Aren't this information easily available anyway?

E.g. Koji displays package changelogs in the web interface and this can be easily scrapped by a bot. Yes it contains only packagers.

So an attacker can easily create a brand new Fedora account and scrap https://admin.fedoraproject.org/accounts/user/view/$USERNAME using a bot and get all users.

It seems to me that both methods mentined above would be even easier than mucking with OpenID so I do not see the benefit of making worse user experience.

Thank you for understanding.

I guess that nobody replied because it does not show up in list of open tickets :-)

well, no, it was on my list to reply to again, but it's been very low on my list. :)

So, I went again to look at this, and noticed that in fact it's already in the whitelist. I am not sure if I fully agree it should be there, but I guess it's water under the bridge.

The next question would be, why did you see the confirmation thing. Do you still see it? I cannot duplicate here.

So, we did find one case where it might have shown you the confirm and fixed it.

Can you see if you can duplicate it now?

I confirm that it works for me. Thanks!

Great.