Re: Clarifications regarding GNOME Online Accounts

On Sat, Feb 16, 2019 at 7:58 PM <mcatanzaro gnome org> wrote:
On Sat, Feb 16, 2019 at 11:58 AM, Michael Terry <mike mterry name>
> “Developer credentials (such as passwords, keys, and client IDs)
> are intended to be used by you and identify your API Client. You will
> keep your credentials confidential and make reasonable efforts to
> prevent and discourage other API Clients from using your credentials.
> Developer credentials may not be embedded in open source projects.”

It's not clear to me how g-o-a can continue to exist, then. Also,
Epiphany's Safe Browsing support. (How do Firefox and Chromium make
this work?)

I don't think any software can meet Google's requirements, if the binaries are distributed to end users. If you can run the program on your computer, you can use a debugger to extract the "secret" key. This model only makes sense for webapps and other programs which users don't run on their own computer.

There are several options:

1. require every user of the software to contact Google and obtain their own client ID, which they provide at runtime to any desktop software that needs to interact with Google APIs at
2. require distributors and people who build their own software to contact Google and obtain a client ID, which they provide at build time
3. continue distributing a "GNOME key" with the source code, and hope that Google don't mind

(1) puts a burden on end-users, who have to visit and navigate a non trivial process to obtain a key (or not use Google services).  (2) puts the burden on distributors.  Are there other options?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]