On Fri, Sep 24, 2010 at 8:58 AM, Benji York <benji.y...@canonical.com> wrote: > On Thu, Sep 23, 2010 at 4:15 PM, Gavin Panella > <gavin.pane...@canonical.com> wrote: >> If I'm collaborating on, reviewing, or otherwise running a >> not-expected-to-be-evil-but-not-known-to-be-safe Launchpad API >> consumer, I'd like to be able to say "please use a read-only token >> this time instead of the desktop token" to reduce the possibility of >> mishap. Will that be possible? > > It's possible, but probably not what we really want to do. Here are a > few scenarios:
I think you have some hidden assumptions in your scenarios; I interpret them rather differently. > 1) the app is evil: you're screwed so it doesn't matter if you give it > read-only or not Read-only public data is hardly screwed. Read-only private data may lead to disclosure but not to privilege escalation. 'Screwed' in this situation is unliked screwed in life: one can be a little bit screwed here, and a little bit is better than totally. > 2) the app only reads data: you're fine, but you would have been find > with read/write access anyway Apps that only read data can be evil too, I don't quite see the distinction you're trying to draw. > 3) the app wants to write data: you're fine up until the point the app > writes, at which point it dies a horrible death, confusing and > irritating the end user If an App needs to write, it would help for it to clearly say: - what it needs to write - why it needs to write And that should be presented on the OAuth authorisation screen. That is, rather than: [] ro [] rw [] ro private [] rw private The dialog might be: Foo wants rw private access to operate Y/N This would make it much clearer. > 4) the app isn't evil but has a bug such that it makes unwanted writes > to LP > The only case where granting a desktop app a read-only token would have > helped you is 4. I argue above that this is incorrect: All four cases would benefit by being able to say how much access is permitted. > If that case is a big enough concern to do something > about, it would be better remedied by a launchpadlib API that lets an > app request read-only access instead of making the user know that a > particular app only needs read-only access and remembering to choose it > when prompted by LP. -Rob _______________________________________________ Mailing list: https://launchpad.net/~launchpad-dev Post to : launchpad-dev@lists.launchpad.net Unsubscribe : https://launchpad.net/~launchpad-dev More help : https://help.launchpad.net/ListHelp
