Nancy, You're right - it is a bad idea. However, it appears to be the only option that Twitter has left to open-source developers who wish to implement OAuth. There doesn't seem to be any way around distributing my application's Consumer Key Secret.
Regards, Duane On Jul 1, 11:17 am, Nancy Miracle <[email protected]> wrote: > Sounds like the assumption is that part of the keypair is in the > source. That is clearly a bad idea ... The software should obly > provide for processes and not ever content > > Sent from my iPhone > > On Jul 1, 2009, at 11:10 AM, Andrew Badera <[email protected]> wrote: > > > > > > > No one's snarking, but again, interesting you would interpret it > > that way. > > > Open source all you want, each person deploying an instance will have > > to get their own keys. What's so tough about that? > > > On Wed, Jul 1, 2009 at 11:07 AM, > > DWRoelands<[email protected]> wrote: > > >> Andrew, > > >> This isn't about credit in the source parameter. It's about > >> application security. > > >> Twitter has stated that Basic Auth will eventually be deprecated. > >> OAuth will eventually be the only method of authentication available. > >> When that happens, developers of open source clients will be forced > >> to > >> reveal their Consumer Key Secret. > > >> This is a very real problem; open-source developers of desktop > >> clients > >> will have to reveal their Consumer Key Secret. > > >> Can we keep this discussion focused on the technical issues at hand, > >> rather than snarking about one another's motives? It's not > >> productive. > > >> Regards, > >> Duane > > >> On Jul 1, 10:57 am, Andrew Badera <[email protected]> wrote: > >>> Not what I said in the least, but it's interesting that you should > >>> interpret it that way. > > >>> Re-read what I said. > > >>> If someone is open sourcing something, in the true spirit of open > >>> source, they shouldn't care about getting credit in the source > >>> parameter. > > >>> Thanks you and good night, I'm here all week, try the veal, don't > >>> forget to tip your waitresses and angry developers. > > >>> On Wed, Jul 1, 2009 at 10:50 AM, Cameron > >>> Kaiser<[email protected]> wrote: > > >>>>> Yes, but don't distribute it. Obviously config files are human > >>>>> readable, but you blank out secrets before publishing them. > > >>>>> People using open source libraries will have to get their own > >>>>> keys. > >>>>> So, either you really are contributing in the spirit of open > >>>>> source, > >>>>> and you don't care about getting credit, or you're doing it for > >>>>> self > >>>>> promotional purposes, and the conversation is moot anyhow. > > >>>> That's an asinine statement. So everybody who doesn't make their > >>>> open > >>>> source software anonymous is a publicity whore? > > >>>> -- > >>>> ------------------------------------ > >>>> personal:http://www.cameronkaiser.com/-- > >>>> Cameron Kaiser * Floodgap Systems *www.floodgap.com* > >>>> [email protected] > >>>> -- In memory of John Banner > >>>> ---------------------------------------------------
