Open nedrichards opened 6 years ago
If you just want to stop web crawlers finding it maybe store it in the manifest encoded in like base64 and decode it as part of the build process?
I don't think that'd make a measurable difference, but it could be a strategy to obscure if needed. @ramcq suggested:
could we provision a flathub worker gpg key, which is copied onto each worker and could decrypt stuff which you encrypt to that key? and it can be copied over to the worker from the master
Which would be a longer term solution. For now, I'll just put the key in the manifest and revoke it if there are issues.
Well once the key is in the application the user can always extract it...
The only value I can think of is as I said, avoiding scrapers on github and I don't think we need actual encryption to do that.
We need something like this for the future FeedReader in order to build Feedly plugin. Currently, we use some env vars defined in the manifest that we replace with the ones defined on Gitlab CI. I think the best way to resolve this is to have the possibility to define env variables in flathub.org/ and be able to use them on the manifest.
I'm still not sure what this accomplishes. Users will always be able to pull the key out of feedreader. So in the end this is just obfuscation to stop crawlers which can be done any way you want.
Well, it's the difference between leaving the door unlocked and open and having a spare key somewhere hidden in the yard.
I'm about to release a first beta of NewsFlash and was hoping this would by now be possible. The problem with the feedly API secret is that feedly is extremely strict about handing them out. For now I am using one that could be found in the code of an old Sailfish OS application. But ideally I want to apply for a unique secret. For FeedReader, where the secret is simply in the code, my application got denied. Granted for not specified reasons. But not leaking the secret in a too obvious way is for sure part of getting one.
So my only option if I still want to apply to get a secret is have a non working feedly backend in the flathub build.
edit: in the gitlab CI pipeline we use two environment variables that can only be accessed by members of the project. That seems to work well for us so far.
Any updates on this issue?
Maybe implement something similar to Github's ?
This will be mitigated, by allowing external builds.
I'd need this as well for Karapulse's Spotify application key.
in the gitlab CI pipeline we use two environment variables that can only be accessed by members of the project. That seems to work well for us so far.
The gitlab solution also takes care of censoring the secrets from the build logs, so they don't accidentally appear there.
The plan is to finish this in january
I've packaged Minitube as a flatpak and would like to add it to Flathub. However this requires specifying a YouTube API key. From the minitube readme:
What's the best way to get this into the build process. Whilst the quota is high (I'm not worried about flathub blowing through it yet) I'd prefer not to have this secret exposed to the internet.