Why was apiKey removed ?

[valeriyo]

I'm integrating latest bugsnag (library 5.3.0, and plugin 5.6.0).

The runtime library allows specifying API key in code - i.e. out of AndroidManifest.xml. And I'd like to keep it out of the manifest - it's company policy.

Turns out that the plugin requires that the API key is in AndroidManifest.xml - and there was a commit (https://github.com/bugsnag/bugsnag-android-gradle-plugin/commit/a3288c34dc0288e0832a8f02d497d11ea7b74b22) removing it from gradle build script.

What's the explanation for this?

[xljones]

Hey @valeriyo, the apiKey property was removed as it had caused confusion in the past. Having the API key in one single place reduced this issue. Your Bugsnag API key is a public key, and not private so it's safe to put into your manifest. The API key does not allow for any read access to your data.

[valeriyo]

The client library allows overriding apiKey in multiple places, even in the per-event callback. So, what confusion are you talking about? You've removed the functionality from the gradle plugin, causing a feature gap between the plugin and the run-time library, and the best of your explanation is "it had caused confusion in the past"? Am I missing something here? Where is the issue that called for apiKey removal? I can't find it.

[valeriyo]

And why would you close this ticket @xander-jones without a proper follow-up?

[valeriyo]

Your Bugsnag API key is a public key

What's that claim based on? It provides access to writing against the quota, so it could be exploited to effectively do a Denial of Service.