Date: Thu, 6 Jun 2013 15:45:29 -0400 From: "David P. Caldwell" <david@code.davidpcaldwell.com> To: freebsd-chromium@freebsd.org Subject: Re: using API keys in the FreeBSD Chromium port Message-ID: <CABBxOKkPC38WTEM=OWNo1baA2h4ybJKmhc=7ttwtMf52KM3Hrg@mail.gmail.com> In-Reply-To: <1239531525.21357067.1369952880052.JavaMail.root@k-state.edu> References: <CANcjpOCF3XUXkieGaFbY5zMOoyYqca=fd0OZnqUrfGF%2BGOe27w@mail.gmail.com> <1239531525.21357067.1369952880052.JavaMail.root@k-state.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for doing this! I was a bit mystified as to why sync had broken, and stumbled here, eventually. I've used some of the other Google APIs and, at least for those, I'm pretty sure these are intended to be per-application (not per-user) keys, so I think including them in the build is consistent with what they are "normally" for. See https://code.google.com/apis/console/ where you "create a project" and get an API key that your application uses when issuing requests. See also https://developers.google.com/api-client-library/python/guide/aaa_apikeys I agree the language "don't share with other users" is confusing, so I'm not 100% sure. -- David Caldwell http://www.davidpcaldwell.com/ On Thu, May 30, 2013 at 6:28 PM, Lawrence K. Chen, P.Eng. <lkchen@ksu.edu> wrote: > > > ----- Original Message ----- >> > >> > >> > - Don't ship the port with a key. Instead, require the builder >> > (currently everyone who runs FreeBSD) to acquire one for >> > themselves. >> > When the key is not present, don't build the features that requires >> > an >> > API key. >> > - On FreeBSD package building cluster (as well as PC-BSD ones), >> > deploy the "official" key and make binaries there. >> > >> > I don't see how this would even work as expected, though: the key >> > is >> > embedded in the binary and thus anyone who can run the binary and >> > have >> > debugging tools would be able to extract it. This situation is >> > totally different from normal OAuth scenario, where API key is >> > deployed on servers and protected from being accessed by average >> > users, and the API provider can easily block misbehaving client >> > when >> > the key is "stolen". >> >> >> I may be wrong but i don't think that this is feasible, you can not >> expect >> every enduser to generate keys so he can use the browser. >> >> We just need a key that will be "blessed" as official for FreeBSD, >> just >> like Debian [0], Gentoo [1], Arch [2] and others have done. >> >> [0] >> http://anonscm.debian.org/gitweb/?p=pkg-chromium/pkg-chromium.git;a=blob;f=debian/rules;hb=HEAD >> [1] >> http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/www-client/chromium/chromium-9999-r1.ebuild?view=markup >> [2] >> https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/chromium > > And, presumably > > https://github.com/gliaskos/freebsd-chromium/commit/8701e94cc54126d6907d7665b5181e5d53705d90 > > is the official FreeBSD one. > > But the question is whether how Debian/Gentoo/Arch, and now FreeBSD, are distributing the keys in violation of > > http://www.chromium.org/developers/how-tos/api-keys > > "Note that the keys you have now acquired are not for distribution purposes and must not be shared with other users." > > I see geolocation is part api keys..is that why it hasn't been working since 23? > > Wonder if everybody who runs FreeBSD could just join the FreeBSD team and see the key? > _______________________________________________ > freebsd-chromium@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-chromium > To unsubscribe, send any mail to "freebsd-chromium-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CABBxOKkPC38WTEM=OWNo1baA2h4ybJKmhc=7ttwtMf52KM3Hrg>