Closed untitaker closed 8 years ago
untitaker
commented
8 years ago Oops:
Developer credentials (such as passwords, keys, and client IDs) are intended to be used by you and identify your API Client. You will keep your credentials confidential and make reasonable efforts to prevent and discourage other API Clients from using your credentials. Developer credentials may not be embedded in open source projects.
mathstuf
commented
8 years ago I think the normal way to do this is to code it up so that the user can grab their own API client key for use locally. If that means they need to sign up to be a Google Developer themselves, Google needs to figure out a better way…
WhyNotHugo
commented
8 years ago I think the normal way to do this is to code it up so that the user can grab their own API client key for use locally. If that means they need to sign up to be a Google Developer themselves, Google needs to figure out a better way…
I'd much rather embed a code (even if it's against the recommendations), than force users to register as google developers and grab a key just to use this.
We can, of course, have a distro-specific key if upstream would rather not provide one.
untitaker
commented
8 years ago That's not a recommendation, it's the ToS.
On 6 April 2016 17:24:16 CEST, Hugo Osvaldo Barrera notifications@github.com wrote:
I think the normal way to do this is to code it up so that the user can grab their own API client key for use locally. If that means they need to sign up to be a Google Developer themselves, Google needs to figure out a better way…
I'd much rather embed a code (even if it's against the recommendations), than force users to register as google developers and grab a key just to use this.
We can, of course, have a distro-specific key if upstream would rather not provide one.
You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/pimutils/vdirsyncer/issues/407#issuecomment-206425882
Sent from my Android device with K-9 Mail. Please excuse my brevity.
WhyNotHugo
commented
8 years ago That's not a recommendation, it's the ToS.
Given that the ToS forbid including a credential, does google explain how users are supposed to deal with this?
mathstuf
commented
8 years ago Not use FOSS. Obviously.
More seriously, OAuth really doesn't have a FOSS-friendly workflow (AFAIK). If the key is found in the open, Google is likely to just disable it, blocking everyone's access with vdirsyncer. The only ToS-compatible way I've heard of for OAuth is to add code for users to fetch their own client API key.
geier
commented
8 years ago well, we could always XOR our API key in the source code, that makes the credentials confidential and is a reasonable efforts to prevent and discourage other API Clients from using your credentials. :stuck_out_tongue_winking_eye:
edit I myself am not sure how serious this suggestion is yet.
Currently there are hardcoded OAuth credentials for the Google storage type. The precedent for this is gcalcli. I wonder though how this is going to fly with packaging.
Seeking feedback from
(could have used the new packaging team for this CC, but at the moment invites are still pending)