Date: Thu, 30 May 2013 13:23:30 -0700 From: =?UTF-8?B?UGF3ZcWCIEhhamRhbiwgSnIu?= <phajdan.jr@chromium.org> To: d@delphij.net Cc: freebsd-chromium@freebsd.org, Kris Moore <kris@pcbsd.org> Subject: Re: using API keys in the FreeBSD Chromium port Message-ID: <CAATLsPb4q9=ihVX5EBwaEKvyN171W_XCyf0h8BiGRb=4wTYm4w@mail.gmail.com> In-Reply-To: <51A7A6E1.3000104@delphij.net> References: <51A5F67F.3010706@freebsd.org> <51A6EFE3.7030306@delphij.net> <CANcjpOA0ojn3FewS-gWCC_o=Cv9M3Tk9Op6u=n5bYS_p4b7Lqg@mail.gmail.com> <51A7A6E1.3000104@delphij.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Ren=C3=A9 should now have an official response from an @google.com e-mail. Please let me know if after that there are still some issues - and consider https://groups.google.com/a/chromium.org/forum/#!forum/chromium-packagersfo= r further questions. :) Pawe=C5=82 On Thu, May 30, 2013 at 12:22 PM, Xin Li <delphij@delphij.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 05/30/13 11:46, George Liaskos wrote: > >> > >> What's the purpose of these keys? E.g. are they used to encrypt > >> sensitive information, or are they used to identify that "this > >> user is running this client, unchanged"? > >> > > > > From what i understand, the key should be unique per "derivative". > > It's used to identify the client, like User Agent one could say but > > with a quota on API calls. > > > > In this sense the "Official" Chromium port on FreeBSD should have a > > unique key. > > > > > https://groups.google.com/a/chromium.org/forum/?fromgroups#!topic/chromiu= m-dev/Qks4W0xLxqc > > Ah, > > > ok so this is for identifying the client. I personally don't > think this would work though. > > In order to do this, I think the only way would be: > > - Don't ship the port with a key. Instead, require the builder > (currently everyone who runs FreeBSD) to acquire one for themselves. > When the key is not present, don't build the features that requires an > API key. > - On FreeBSD package building cluster (as well as PC-BSD ones), > deploy the "official" key and make binaries there. > > I don't see how this would even work as expected, though: the key is > embedded in the binary and thus anyone who can run the binary and have > debugging tools would be able to extract it. This situation is > totally different from normal OAuth scenario, where API key is > deployed on servers and protected from being accessed by average > users, and the API provider can easily block misbehaving client when > the key is "stolen". > > Cheers, > - -- > Xin LI <delphij@delphij.net> https://www.delphij.net/ > FreeBSD - The Power to Serve! Live free or die > -----BEGIN PGP SIGNATURE----- > > iQEcBAEBCgAGBQJRp6bhAAoJEG80Jeu8UPuzQusH/2ZmNiv70gPN3U/mioK+O827 > lTvIo1ljPQudNwco+EcXxHinJmKYj36dKxtmU4ByJQmpCazBRRufzc0Zc6dZd2FX > v5cwc6QQH9o0gAFafZS1nPxREoBoBQNmxtyutxjseeEqs+e0zbxix4RQJorZXNgE > I2VyOwiVyxeCaeooa83h/0ll0AkQYn9ny/lDJUoph3rq1nGgX8esIO4XdVORXFPJ > mHeixoI+aRtZ963p4T9ljEnJ4yP+nVqIcpsdL8nHQOdiPuNnNdc79AE4d7RhAaaF > LQ3wdj9tRsA3cgmUGe37jkT3VuGEhIi6jci+W1k2uyiecqy4Qfs2lNdj+MOcOPA=3D > =3DOYyE > -----END PGP SIGNATURE----- >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAATLsPb4q9=ihVX5EBwaEKvyN171W_XCyf0h8BiGRb=4wTYm4w>