Soon there will be a new release of launchpad and along with some new feature and bug fixes will be the move to only using an OpenID provider for the authentication. (This incidentally is why ground control 1.5 is broken currently)
The new OpenID system points to https://login.launchpad.net/ and most people here will have seen this OpenID system before. The problem is that this part of launchpad is not open source, it was taken by Canonical’s ISD which deals with development for the system admins. Interestingly this code base became the Ubuntu Single Sign On system after a rewrite, the system that launchpad will probably move towards after this interation.
What is worrying about the closed source oversight is that there has already been a number of reports of vulnerabilities in this OpenID provider software and long delays in fixes being applied. Worse, I can find no rationale for the code of such a security sensitive part of the system being put into a situation where it can not benefit from many eyes, code peer review.
There is hope. I have learned that there is a plan that as the OpenID consumption of launchpad matures, we will be able to choose which OpenID provider to use and not be bound to either the closed launchpad or Ubuntu providers when logging into launchpad.
What are your thoughts?