From owner-freebsd-chromium@FreeBSD.ORG Thu May 30 22:28:01 2013 Return-Path: Delivered-To: freebsd-chromium@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 1188B3BD for ; Thu, 30 May 2013 22:28:01 +0000 (UTC) (envelope-from lkchen@k-state.edu) Received: from ksu-out.merit.edu (ksu-out.merit.edu [207.75.117.132]) by mx1.freebsd.org (Postfix) with ESMTP id D1E03ECE for ; Thu, 30 May 2013 22:28:00 +0000 (UTC) X-Merit-ExtLoop1: 1 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AlQJADTRp1HPS3TT/2dsb2JhbABagwkwgzu8HwR+FnSCIwEBBSNWDA8ODAINGQJZBhyIBAypPolliAeBJox3g0mBFAOYZ5AXgyuCCw X-IronPort-AV: E=Sophos;i="4.87,773,1363147200"; d="scan'208";a="66631063" X-MERIT-SOURCE: KSU Received: from ksu-sfpop-mailstore02.merit.edu ([207.75.116.211]) by sfpop-ironport04.merit.edu with ESMTP; 30 May 2013 18:28:00 -0400 Date: Thu, 30 May 2013 18:28:00 -0400 (EDT) From: "Lawrence K. Chen, P.Eng." To: George Liaskos Message-ID: <1239531525.21357067.1369952880052.JavaMail.root@k-state.edu> In-Reply-To: Subject: Re: using API keys in the FreeBSD Chromium port MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [70.179.144.108] X-Mailer: Zimbra 7.2.2_GA_2852 (ZimbraWebClient - GC27 ([unknown])/7.2.2_GA_2852) Cc: freebsd-chromium@freebsd.org X-BeenThere: freebsd-chromium@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: FreeBSD-specific Chromium issues List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 May 2013 22:28:01 -0000 ----- Original Message ----- > > > > > > - Don't ship the port with a key. Instead, require the builder > > (currently everyone who runs FreeBSD) to acquire one for > > themselves. > > When the key is not present, don't build the features that requires > > an > > API key. > > - On FreeBSD package building cluster (as well as PC-BSD ones), > > deploy the "official" key and make binaries there. > > > > I don't see how this would even work as expected, though: the key > > is > > embedded in the binary and thus anyone who can run the binary and > > have > > debugging tools would be able to extract it. This situation is > > totally different from normal OAuth scenario, where API key is > > deployed on servers and protected from being accessed by average > > users, and the API provider can easily block misbehaving client > > when > > the key is "stolen". > > > I may be wrong but i don't think that this is feasible, you can not > expect > every enduser to generate keys so he can use the browser. > > We just need a key that will be "blessed" as official for FreeBSD, > just > like Debian [0], Gentoo [1], Arch [2] and others have done. > > [0] > http://anonscm.debian.org/gitweb/?p=pkg-chromium/pkg-chromium.git;a=blob;f=debian/rules;hb=HEAD > [1] > http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/www-client/chromium/chromium-9999-r1.ebuild?view=markup > [2] > https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/chromium And, presumably https://github.com/gliaskos/freebsd-chromium/commit/8701e94cc54126d6907d7665b5181e5d53705d90 is the official FreeBSD one. But the question is whether how Debian/Gentoo/Arch, and now FreeBSD, are distributing the keys in violation of http://www.chromium.org/developers/how-tos/api-keys "Note that the keys you have now acquired are not for distribution purposes and must not be shared with other users." I see geolocation is part api keys..is that why it hasn't been working since 23? Wonder if everybody who runs FreeBSD could just join the FreeBSD team and see the key?