> Unmaintained critical infrastructure is bad news.
(article author here)
To add to @callahad's excellent points: unmaintained critical infrastructure on your security perimeter is even worse, and a service like Persona is about as security-critical as you can get!
Persona was (and will remain until the end of November) covered by Mozilla's bug bounty program, meaning that it has been getting regular security bugs filed against it. Most have been spurious, some have not, but each of them has been a fire-drill because Persona gates access to so many of Mozilla's internal services.
We have been able to respond effectively so far, because there's a core of ex-Persona developers kicking around other projects at Mozilla, who we've been able to pull back in for these critical maintenance tasks. But that's not sustainable indefinitely.
The only responsible choices for a security-sensitive service like this are (a) staff it properly, or (b) tear it down gracefully. I'm personally quite disappointed that we couldn't find a path to success for Persona at Mozilla, but I'm grateful we've at least found the resources to do (b).
(article author here)
To add to @callahad's excellent points: unmaintained critical infrastructure on your security perimeter is even worse, and a service like Persona is about as security-critical as you can get!
Persona was (and will remain until the end of November) covered by Mozilla's bug bounty program, meaning that it has been getting regular security bugs filed against it. Most have been spurious, some have not, but each of them has been a fire-drill because Persona gates access to so many of Mozilla's internal services.
We have been able to respond effectively so far, because there's a core of ex-Persona developers kicking around other projects at Mozilla, who we've been able to pull back in for these critical maintenance tasks. But that's not sustainable indefinitely.
The only responsible choices for a security-sensitive service like this are (a) staff it properly, or (b) tear it down gracefully. I'm personally quite disappointed that we couldn't find a path to success for Persona at Mozilla, but I'm grateful we've at least found the resources to do (b).