Nancy,

You're right - it is a bad idea.  However, it appears to be the only
option that Twitter has left to open-source developers who wish to
implement OAuth.  There doesn't seem to be any way around distributing
my application's Consumer Key Secret.

Regards,
Duane


On Jul 1, 11:17 am, Nancy Miracle <nmira...@gmail.com> wrote:
> Sounds like the assumption is that part of the keypair is in the  
> source.  That is clearly a bad idea ... The software should obly  
> provide for processes and not ever content
>
> Sent from my iPhone
>
> On Jul 1, 2009, at 11:10 AM, Andrew Badera <and...@badera.us> wrote:
>
>
>
>
>
> > No one's snarking, but again, interesting you would interpret it  
> > that way.
>
> > Open source all you want, each person deploying an instance will have
> > to get their own keys. What's so tough about that?
>
> > On Wed, Jul 1, 2009 at 11:07 AM,  
> > DWRoelands<duane.roela...@gmail.com> wrote:
>
> >> Andrew,
>
> >> This isn't about credit in the source parameter.  It's about
> >> application security.
>
> >> Twitter has stated that Basic Auth will eventually be deprecated.
> >> OAuth will eventually be the only method of authentication available.
> >> When that happens, developers of open source clients will be forced  
> >> to
> >> reveal their Consumer Key Secret.
>
> >> This is a very real problem; open-source developers of desktop  
> >> clients
> >> will have to reveal their Consumer Key Secret.
>
> >> Can we keep this discussion focused on the technical issues at hand,
> >> rather than snarking about one another's motives?  It's not
> >> productive.
>
> >> Regards,
> >> Duane
>
> >> On Jul 1, 10:57 am, Andrew Badera <and...@badera.us> wrote:
> >>> Not what I said in the least, but it's interesting that you should
> >>> interpret it that way.
>
> >>> Re-read what I said.
>
> >>> If someone is open sourcing something, in the true spirit of open
> >>> source, they shouldn't care about getting credit in the source
> >>> parameter.
>
> >>> Thanks you and good night, I'm here all week, try the veal, don't
> >>> forget to tip your waitresses and angry developers.
>
> >>> On Wed, Jul 1, 2009 at 10:50 AM, Cameron  
> >>> Kaiser<spec...@floodgap.com> wrote:
>
> >>>>> Yes, but don't distribute it. Obviously config files are human
> >>>>> readable, but you blank out secrets before publishing them.
>
> >>>>> People using open source libraries will have to get their own  
> >>>>> keys.
> >>>>> So, either you really are contributing in the spirit of open  
> >>>>> source,
> >>>>> and you don't care about getting credit, or you're doing it for  
> >>>>> self
> >>>>> promotional purposes, and the conversation is moot anyhow.
>
> >>>> That's an asinine statement. So everybody who doesn't make their  
> >>>> open
> >>>> source software anonymous is a publicity whore?
>
> >>>> --
> >>>> ------------------------------------ 
> >>>> personal:http://www.cameronkaiser.com/--
> >>>>  Cameron Kaiser * Floodgap Systems *www.floodgap.com* 
> >>>> ckai...@floodgap.com
> >>>> -- In memory of John Banner  
> >>>> ---------------------------------------------------

Reply via email to