[Catalyst] ANNOUNCE: SimpleDB - Auth configuration made easy

Darren Duncan darren at darrenduncan.net
Tue Oct 28 05:26:19 GMT 2008

Jason Kuri wrote:
>> If I explicitly override the default, by explicitly requesting
>> 'clear', because my requirements explicitly need this ability, then
>> I must change the code to get rid of the warning?  Ahh, but it's for
>> the 'simple', who must be guided, and can't be bothered to read the
>> warnings in the text so bonk'em repeatedly in the logs till they
>> mind what you say.  Which is to explicitly not use the feature which
>> you've explicitly provided?  (sigh)
>> How about adding 'clear_please_please' ?
>> (Just because I like simple doesn't mean I _am_ 'simple' - and I
>> really do appreciate the simplicity enablers, really)
> Matt suggested a way to turn off the warning also... but I am
> skeptical... either we hold the newbies hand and protect him from
> himself, and warn him if he's doing something dangerous.... or we
> happily let them shoot themselves in the foot, assuming they'll
> probably figure it out after the first time....  Seems the two options
> are out of sync with each other...
> I'm not beyond convincing... just a bit skeptical.... Anybody else
> want to weigh in... should we protect them, but allow them to throw
> off the comfort blankets if they say 'PLEEEEEeease'?

I think a good approach is to have safer more secure defaults, and if users 
explicitly turn those off then have relevant warnings on by default, and if 
users really know what they're doing then they can explicitly turn those off.

For example, users can have an explicit no_warnings_plaintext_password or some 
such where warnings are turned on by default and off explicitly.

Generally speaking, those who know enough to handle less safe things also know 
enough how to ask the system to let them do those things.  People who don't know 
well enough for one aren't likely at the same time have to know to ask the 
system for help in pointing out unsafe behaviour so they're in trouble if unsafe 
is the default.  For people who do know things, having safe defaults is still 
good for working together with their desire to be lazy.

-- Darren Duncan

More information about the Catalyst mailing list