Patrick Uiterwijk

@msimacek not if the normal stable repos (like, in this case f26) contain newer.

@jeremycline That is not what @pypingou was referring to, no. I was working on a hosted service where websites only need to auth agains that service, and that service than...

Big -1 to APP.config['OIDC_ID_TOKEN_COOKIE_SECURE'] = False. Please do NOT default to that.

@jeremycline sorry, seems I had been looking at an old commit. Regarding docs, you're completely correct. I was under the impression they were documented.

For the record: Docker hub credentials are available in this repo as repository secrets.

@ryanlerch Right. But note that if you decide the Vagrant setup is the official way of deploying, I'll have many complaints about insecure deployment practices 😀. That's why I want...

Some of the things you really want to point out: - Don't use `flask run`, but instead use a serious HTTP server, and explain how to do so (apache/nginx with...

I will try to schedule this soon, is there any deadline when this is wanted? Additionally, how much flux can/should I still expect of the code, since a security audit...

For reference, the commit hashes currently under audit: - noggin: [0e3be29de02a1ba7aaf247493c5adf7d08e5f64b](https://github.com/fedora-infra/noggin/commit/0e3be29de02a1ba7aaf247493c5adf7d08e5f64b) - freeipa-fas: [b0fc093b73c76bf100151a1a7d86d6171bfe7006](https://github.com/fedora-infra/freeipa-fas/commit/b0fc093b73c76bf100151a1a7d86d6171bfe7006) - fasjson: [bb4a12ee9d949c40e69849dd4f38394c365f6dbb](https://github.com/fedora-infra/fasjson/commit/bb4a12ee9d949c40e69849dd4f38394c365f6dbb)

According to the [Fedora Infrastructure Application Security Policy](https://docs.pagure.org/infra-docs/dev-guide/security_policy.html#audit), any deviations from the policy must be pointed out in the request for the security audit. I cannot find any notes in...