Date: Thu, 30 May 2013 19:45:22 +0000 From: George Liaskos <geo.liaskos@gmail.com> To: d@delphij.net Cc: freebsd-chromium@freebsd.org, Kris Moore <kris@pcbsd.org>, phajdan.jr@chromium.org Subject: Re: using API keys in the FreeBSD Chromium port Message-ID: <CANcjpOCF3XUXkieGaFbY5zMOoyYqca=fd0OZnqUrfGF%2BGOe27w@mail.gmail.com> In-Reply-To: <51A7A6E1.3000104@delphij.net> References: <51A5F67F.3010706@freebsd.org> <51A6EFE3.7030306@delphij.net> <CANcjpOA0ojn3FewS-gWCC_o=Cv9M3Tk9Op6u=n5bYS_p4b7Lqg@mail.gmail.com> <51A7A6E1.3000104@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > - Don't ship the port with a key. Instead, require the builder > (currently everyone who runs FreeBSD) to acquire one for themselves. > When the key is not present, don't build the features that requires an > API key. > - On FreeBSD package building cluster (as well as PC-BSD ones), > deploy the "official" key and make binaries there. > > I don't see how this would even work as expected, though: the key is > embedded in the binary and thus anyone who can run the binary and have > debugging tools would be able to extract it. This situation is > totally different from normal OAuth scenario, where API key is > deployed on servers and protected from being accessed by average > users, and the API provider can easily block misbehaving client when > the key is "stolen". I may be wrong but i don't think that this is feasible, you can not expect every enduser to generate keys so he can use the browser. We just need a key that will be "blessed" as official for FreeBSD, just like Debian [0], Gentoo [1], Arch [2] and others have done. [0] http://anonscm.debian.org/gitweb/?p=pkg-chromium/pkg-chromium.git;a=blob;f=debian/rules;hb=HEAD [1] http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/www-client/chromium/chromium-9999-r1.ebuild?view=markup [2] https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/chromium
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANcjpOCF3XUXkieGaFbY5zMOoyYqca=fd0OZnqUrfGF%2BGOe27w>