Actually, no. The process creates a completely new app key and secret
cloned from the original one. They do not have anything in common with
each other apart from the name and branding (and the user can change it
later; it's just a regular old app key). You can see this in action by
looking at TTYtter, which uses the process. They are not the same key
and secret at all.
I do agree that it should be passed over SSL rather than in the clear,
and Taylor was looking into this, last I spoke with him about it.
--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * cka...@floodgap.com
-- What you don't know won't help you much either. -- D. Bennett --------------
When was this process turned on? (I just checked out TTYtter and
indeed, it works.) I asked for an update a couple weeks ago but I
hadn't seen anything here or on the announce list, so I assumed other
things had taken priority.
--
things change.
dec...@red-bean.com
No, it's not ideal: It's far far FAR from it.
> But we're supporting OAuth 1.0a right now, and for the safety of our users,
> for the ecosystem, and for you: please don't distribute API tokens and
> secrets in your open source projects.
Two wrongs here: First of all, you're saying that closed source apps
are safer for your users ('cause, in theory, the keys are harder to
get). That's false 'cause you can't assure, nor your users and neither
the ecosystem that a certain application will "call home" and send
information it shouldn't. Even worse for the "ecosystem" is that you
guys are forcing applications to be removed from it.
The second wrong is that you're, basically, telling us that we should
punish our users with a more complicated UX because we decided to
provide them with more freedom.
I may sound pissed and I am: Twitter was build on top of open source
apps (like Rails and now Cassandra) and basically you guys are
slapping every other open source application that use your APIs in the
face.
--
Julio Biason <julio....@gmail.com>
Twitter: http://twitter.com/juliobiason
"A mathematician is a device for turning coffee into theorems." - Paul Erdos
And what if I have a desktop application? Should I just screw my users
by either providing a very stupid user experience (making them
register a desktop application) or giving the key to their data with
my app? How is that a solution?
"A mathematician is a device for turning coffee into theorems." - Paul Erdos
Yep - sooner or later you have to build *some* kind of server to
protect your business, even if the majority of your functionality is
mobile or desktop. Given that, why not simply build as much of the
functionality into the server as possible and make a browser-based app
right from the start? ;-)
This is that "cloud computing stuff" that they talk about in those
expensive trade shows, right? ;-)
'Cause that's not what I want. If I wanted a browser based app, I'd
write on from start and not start it as a desktop app that can run on
4 different operating systems including one mobile[1]. If I wanted a
web app, I'd have to chose a hosting/provider to hold all users
accounts deal with all the logistics of giving users all the data they
want. Instead, I decided to write a desktop app, where the users have
their data whenever they want.
But you guys are taking this out of context: OSS apps _need_ a way to
expose their keys (as they are part of the application itself) without
having to worry about someone getting those keys and ruining the app
image by posting trash or using those same keys to get the same rights
a user gave to the app.
[1] And no, I didn't had to add any hacks or a stupid sequence of
#defines. I get all that for free.