[Demexp-dev] logins and account creation.

[Augustin]

Hello,

With this mail, I hope I have replied to all your previous comments.
                        


On Saturday 16 September 2006 07:14 pm, David wrote:
>  2. The demexp server and Drupal logins should be unified: the same
>     login name and password should be used for both the Drupal login on
>     the web site and the vote on demexp server;

This is a definite No!
I will detail below but there are many reasons why not.
There are technical reasons (with Drupal core).
There are privacy/useability reasons. 
There are inclusiveness/openness reasons for users.
There are flexibility reasons for organizations who'd want to use this module, 
too.

On Saturday 16 September 2006 07:14 pm, you wrote:
>  4. Account creation form should be modified. I think it is manfdatory
>     to have following fields:
>
>     * 1st name:
>     * 2nd name:
>     * 3rd name:
>     * :    :
>     * Last name/Family name:
>
>     * email address:

As mentioned earlier, you can have all the fields you want, some private, some 
public.
The problem is about what to do with them.

>     * Display name (aka an alias to be displayed on the web site/demexp
>       server):

The display name is the login name. 
To have it otherwise may require to patch core, which I will not do.
There may be a solution without patching core, but I am not sure.
Anyway, I won't look into it because of the other problems I have with this 
approach.


>     The demexp login could be computed from 1st, 2n, ..., last names. We
>     would have to take care of people having the same name, how to
>     disambiguate them (several proposals for this on the demexp demo
>     server, see question 34 
     http://demexp.ouvaton.org/node/37 ). 

This question is almost meaningless. There are a lot of assumptions made here. 

First it assumes that everybody is French (but it is stated everywhere that 
demexp is an international project), then it assumes that all the French have 
three first names. Some have only one, and I have read some news about a 
mayor refusing to deliver a birth certificate to a baby who was given over 20 
first names... The question was asked in the article whether there is a legal 
limit in the number of first names one can have...).

What do you do with people of other cultures who have different ways to call 
themselves. 
There are those who don't have a family name at all (ok, even if there are 
very many of them, they don't have access to a computer, and wouldn't be able 
to provide a birth certificate if asked...).
But take my wife: her name is composed of three Chinese characters, the 
*first* one of which is her family name, and the other two, her given name 
(i.e. neither "first", nor "christian" name). Some Chinese people have only 
two characters, and homonyms are frequent. 

In the question 34 poll, the utf8 encoding is the elected solution. 

Currently, the accounts are created manually: what do you do if someone comes 
up with a name you cannot type? A Polish name with diacritics (L with a bar, 
E with a cedilla, etc.?, a Chinese name, a Japanese name... or a Swedish...

If the accounts are created not manually but programmatically, then the 
elected pattern Prénom.Prénom2.Prénom3.NOM (en encodage UTF8) is making too 
many cultural assumptions. 

Also, for the sake of security, the buzz word, a simple number or hash code to 
which the real identity is associated would be better: this way the 
hash/number <=> identity association table can be stored separately and 
controlled by someone else, and all the votes, transactions, questions, etc. 
would  NOT be linked to the real identity, only to a meaningless number. 


Why are you  so worried about who gets access to the root directory of the web 
server?
How does the demexp server store the data? In a data base? On file?
If I understand the technology well, each transaction is recorded (on file) 
and associated to the demexp account. So, the person who has access to the 
ballots and all other information related to the questions, knows the real 
identity of the people who submitted this information. 

From the security and privacy point of view, an anonymous hash would have been 
much better. 
This can be discussed further later. For now, I am happy if you carry on 
creating accounts by hand, using the current pattern.
I will not code anything related to this, not in stage 1, not until we have 
had time to figure out a better solution. 







Another big problem I have with the "drupal login" == "demexp login" approach 
is about inclusiveness.
All the votes I have seen on the demo server call for the maximum 
inclusiveness (at least until we figure out why we'd want to be less 
inclusive). 

For example:

Question 24
http://demexp.ouvaton.org/node/27
Toute personne inscrite à l'expérience démocratique peut voter sur tous les 
sujet, quel que soit son pays de citoyenneté.
=> Je suis d'accord

Question 108
http://demexp.ouvaton.org/node/103
Quel est l'âge limite d'un utilisateur pour que son vote soit pris en compte ?
=> Aucun, tous les votes sont valides

We are trying to be inclusive and invite more people to participate.
The Drupal login will control the ability of the person to interact with the 
whole web site, including in the general forums. With its forum system, the 
Drupal site will be a very important venue for the community.
Do you realize that I still don't have a demexp account? I don't have a hard 
client either (none was compiled for Mandriva). 
By requiring a demexp account to login into the Drupal site, we say: you can 
only participate in our community discussion if you already have an account.

It is as if you had told me one month ago: "hey, Augustin, you don't have an 
account yet, so you cannot make a proposal about Drupal, and you cannot code 
a module yet."

If we make it easier for people to join the discussion and take part in the 
community life, they'll start giving their own opinion on topics which will 
lead to a vote... and by the time they are interested enough to actually 
vote, they will be greeted by a form saying "please enter your demexp account 
name and password". 

What I mean is that, from a marketing point of view, it makes a LOT of sense 
to allow people who are not yet full members of demexp to be able to interact 
within the general forums, and post questions and comments. 






You hope that your server can be used by other organizations, and I hope the 
same about my module. People may want to create a Drupal-based web site with 
your server and my module, but the site may be more general than the demexp 
part only, i.e. they will want people to be able to join the site, without 
having to create a demexp account, just like I think we should do ourselves.





Most obviously, there is no consensus on this whole point. 
A solution satisfactory to everyone can be discussed after stage 1.

But for stage 1, I will keep the drupal web site registration and the demexp 
login separate. 


As of today, I have no more "bad news" for you, about stuff we disagree on :)



yours,


Augustin.










-- 
http://www.wechange.org/
Because we and the world need to change.
 
http://www.reuniting.info/
Intimate Relationships, peace and harmony in the couple.

http://www.gnosis-usa.com/
Revolutionary Psychology, White Tantrism, Dream Yoga...

http://www.masquilier.org/
Condorcet, Approval alternative, better voting methods.