From owner-freebsd-chromium@FreeBSD.ORG Thu May 30 19:45:23 2013 Return-Path: Delivered-To: freebsd-chromium@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 80FAED2 for ; Thu, 30 May 2013 19:45:23 +0000 (UTC) (envelope-from geo.liaskos@gmail.com) Received: from mail-ea0-x22c.google.com (mail-ea0-x22c.google.com [IPv6:2a00:1450:4013:c01::22c]) by mx1.freebsd.org (Postfix) with ESMTP id 1A78F143 for ; Thu, 30 May 2013 19:45:22 +0000 (UTC) Received: by mail-ea0-f172.google.com with SMTP id d10so762746eaj.17 for ; Thu, 30 May 2013 12:45:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=nQHnWDmCv+2T5VOHdMMjOKA9ucQjm0usXVtATCTFIp8=; b=ijxSVS/9SmTxvGMK/VqG9jEQBcxMUFBGF1wkTTzp6TzD0/IQGCWBvOuWF0xGphm4cc UpTREIoAYQn5G54NAIXvpjvnA3jLJne1U8Z7ceqIYsLwW0EYf0LoU7YtZFL3y4lDIrdZ HE8ZcrdSqbhHRAD4WDTqyZzaA9ke5kB0iL0VPrzCBwPEaKHB1yrSOk8F/dKgfzTabyXY WeY8kztk942z8KUCtM9zgE2xO3ZkbkIBAAWjTYJX8gNkDTJlJjr7kH3YZ7LW/46J+Uov Xoi+UVp/k3UBtz9DfUR3oOz6ZjGT4AYNVYghMjj9Me+7MASlQhj1qMe4pYs9kskjzGr5 mjkA== MIME-Version: 1.0 X-Received: by 10.15.74.193 with SMTP id j41mr10750901eey.69.1369943122190; Thu, 30 May 2013 12:45:22 -0700 (PDT) Received: by 10.223.68.145 with HTTP; Thu, 30 May 2013 12:45:22 -0700 (PDT) In-Reply-To: <51A7A6E1.3000104@delphij.net> References: <51A5F67F.3010706@freebsd.org> <51A6EFE3.7030306@delphij.net> <51A7A6E1.3000104@delphij.net> Date: Thu, 30 May 2013 19:45:22 +0000 Message-ID: Subject: Re: using API keys in the FreeBSD Chromium port From: George Liaskos To: d@delphij.net Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: freebsd-chromium@freebsd.org, Kris Moore , phajdan.jr@chromium.org X-BeenThere: freebsd-chromium@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: FreeBSD-specific Chromium issues List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 May 2013 19:45:23 -0000 > > > - Don't ship the port with a key. Instead, require the builder > (currently everyone who runs FreeBSD) to acquire one for themselves. > When the key is not present, don't build the features that requires an > API key. > - On FreeBSD package building cluster (as well as PC-BSD ones), > deploy the "official" key and make binaries there. > > I don't see how this would even work as expected, though: the key is > embedded in the binary and thus anyone who can run the binary and have > debugging tools would be able to extract it. This situation is > totally different from normal OAuth scenario, where API key is > deployed on servers and protected from being accessed by average > users, and the API provider can easily block misbehaving client when > the key is "stolen". I may be wrong but i don't think that this is feasible, you can not expect every enduser to generate keys so he can use the browser. We just need a key that will be "blessed" as official for FreeBSD, just like Debian [0], Gentoo [1], Arch [2] and others have done. [0] http://anonscm.debian.org/gitweb/?p=pkg-chromium/pkg-chromium.git;a=blob;f=debian/rules;hb=HEAD [1] http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/www-client/chromium/chromium-9999-r1.ebuild?view=markup [2] https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/chromium