Date: Thu, 30 May 2013 18:28:00 -0400 (EDT) From: "Lawrence K. Chen, P.Eng." <lkchen@ksu.edu> To: George Liaskos <geo.liaskos@gmail.com> Cc: freebsd-chromium@freebsd.org Subject: Re: using API keys in the FreeBSD Chromium port Message-ID: <1239531525.21357067.1369952880052.JavaMail.root@k-state.edu> In-Reply-To: <CANcjpOCF3XUXkieGaFbY5zMOoyYqca=fd0OZnqUrfGF%2BGOe27w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- > > > > > > - Don't ship the port with a key. Instead, require the builder > > (currently everyone who runs FreeBSD) to acquire one for > > themselves. > > When the key is not present, don't build the features that requires > > an > > API key. > > - On FreeBSD package building cluster (as well as PC-BSD ones), > > deploy the "official" key and make binaries there. > > > > I don't see how this would even work as expected, though: the key > > is > > embedded in the binary and thus anyone who can run the binary and > > have > > debugging tools would be able to extract it. This situation is > > totally different from normal OAuth scenario, where API key is > > deployed on servers and protected from being accessed by average > > users, and the API provider can easily block misbehaving client > > when > > the key is "stolen". > > > I may be wrong but i don't think that this is feasible, you can not > expect > every enduser to generate keys so he can use the browser. > > We just need a key that will be "blessed" as official for FreeBSD, > just > like Debian [0], Gentoo [1], Arch [2] and others have done. > > [0] > http://anonscm.debian.org/gitweb/?p=pkg-chromium/pkg-chromium.git;a=blob;f=debian/rules;hb=HEAD > [1] > http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/www-client/chromium/chromium-9999-r1.ebuild?view=markup > [2] > https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/chromium And, presumably https://github.com/gliaskos/freebsd-chromium/commit/8701e94cc54126d6907d7665b5181e5d53705d90 is the official FreeBSD one. But the question is whether how Debian/Gentoo/Arch, and now FreeBSD, are distributing the keys in violation of http://www.chromium.org/developers/how-tos/api-keys "Note that the keys you have now acquired are not for distribution purposes and must not be shared with other users." I see geolocation is part api keys..is that why it hasn't been working since 23? Wonder if everybody who runs FreeBSD could just join the FreeBSD team and see the key?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1239531525.21357067.1369952880052.JavaMail.root>