Seriously, are we still beating this dead old horse? Closed or open source doesn't matter. The fact that a consumer key and secret (!) are redistributed = design FAILURE.
It's trivial to recover the consumer key and secret from a closed source application, which can in turn be used in a malicious application ... The consumer key and secret CANNOT be used as a form of application authentication. It's not trustworthy enough. This is an inherent design deficiency in OAuth. On 1/18/10 2:46 PM, ryan alford wrote: > Agreed. > > The reason you don't want to give out YOUR consumer key and consumer > secret in your open-source code is because somebody could download your > code, make malicious changes to make it do something bad, and now their > app looks exactly like yours to Twitter since the consumer keys are the > same. So when that app starts causing problems for users, it YOU that > they start contacting. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70)