[twitter-dev] Re: Security Best Practices

Wed, 01 Jul 2009 08:18:47 -0700
Sounds like the assumption is that part of the keypair is in the source. That is clearly a bad idea ... The software should obly provide for processes and not ever content 

Sent from my iPhone

On Jul 1, 2009, at 11:10 AM, Andrew Badera <[email protected]> wrote:




No one's snarking, but again, interesting you would interpret it  
that way.


Open source all you want, each person deploying an instance will have
to get their own keys. What's so tough about that?




On Wed, Jul 1, 2009 at 11:07 AM,  
DWRoelands<[email protected]> wrote:


Andrew,

This isn't about credit in the source parameter.  It's about
application security.

Twitter has stated that Basic Auth will eventually be deprecated.
OAuth will eventually be the only method of authentication available.

When that happens, developers of open source clients will be forced  
to

reveal their Consumer Key Secret.


This is a very real problem; open-source developers of desktop  
clients

will have to reveal their Consumer Key Secret.

Can we keep this discussion focused on the technical issues at hand,
rather than snarking about one another's motives?  It's not
productive.

Regards,
Duane


On Jul 1, 10:57 am, Andrew Badera <[email protected]> wrote:

Not what I said in the least, but it's interesting that you should
interpret it that way.

Re-read what I said.

If someone is open sourcing something, in the true spirit of open
source, they shouldn't care about getting credit in the source
parameter.

Thanks you and good night, I'm here all week, try the veal, don't
forget to tip your waitresses and angry developers.




On Wed, Jul 1, 2009 at 10:50 AM, Cameron  
Kaiser<[email protected]> wrote:



Yes, but don't distribute it. Obviously config files are human
readable, but you blank out secrets before publishing them.



People using open source libraries will have to get their own  
keys.
So, either you really are contributing in the spirit of open  
source,
and you don't care about getting credit, or you're doing it for  
self

promotional purposes, and the conversation is moot anyhow.



That's an asinine statement. So everybody who doesn't make their  
open

source software anonymous is a publicity whore?



--
------------------------------------ personal:http://www.cameronkaiser.com/--

 Cameron Kaiser * Floodgap Systems *www.floodgap.com*  
[email protected]
-- In memory of John Banner  
---------------------------------------------------































					Reply via email to