launchpad-dev team mailing list archive

[Martin Pool <mbp@xxxxxxxxxxxxx>]

2009/9/21 Karl Fogel <karl.fogel@xxxxxxxxxxxxx>:
> Max Bowsher <maxb@xxxxxxx> writes:
>> Quoting https://dev.launchpad.net/API:
>>
>> """
>> Authenticated Access Only
>>
>> By design, there is no anonymous access through the API. You can do
>> read-only access (through a read-only token) but not anonymous access.
>> All API use is accounted to a person.
>> """
>>
>> Why?
>>
>> Please feel free to respond in the form of a wiki edit :-)

As it happens I coincidentally made that edit before seeing this
thread, pointing to
<https://bugs.launchpad.net/launchpad-foundations/+bug/385517>

> I'll answer here, and see if anyone follows up with more (or more
> correct) information, before we put this in the wiki.
>
> My understanding is that it's a way to have some safeguard against
> [possibly accidental] DoS.  If all accesses are authenticated, then if
> someone does something that causes a problem, we can shut off just that
> person's API access.  (Presumably, we'd then try to contact them and
> figure out a better solution.)

I think that was the original intention.  However, this was discussed
before and I believe it was agreed that the restriction causes more
trouble than it's worth.  Trouble, because many interesting Launchpad
clients only need anonymously readable data and inserting a human in
the loop makes them harder to deploy.  And not worth much because real
blocking of abuse must happen at the IP, URL, or request-per-second
level, and users can create as many accounts or tokens as they want.
Therefore, that bug.

That page also says that APIs are only available to beta-team members
(which wgrant tells me is no longer true) and only on edge, which I
guess is also not true.

-- 
Martin <http://launchpad.net/~mbp/>