← Back to team overview

launchpad-dev team mailing list archive

Re: Fwd: [Fwd: Quickly and Launchpad]

 

On Fri, 2010-06-25 at 08:09 +0200, Didier Roche wrote:
> Le vendredi 25 juin 2010 à 10:37 +1000, Martin Pool a écrit :
> > On 25 June 2010 10:20, Martin Pool <mbp@xxxxxxxxxxxxx> wrote:
> > > On 24 June 2010 21:18, Jonathan Lange <jml@xxxxxxxxxxxxx> wrote:
> > >> See here the requirement:
> > >> https://blueprints.launchpad.net/ubuntu/+spec/desktop-maverick-quickly
> > >>
> > >> I would really prefer to avoid as much as possible "that bad way" to
> > >> communicate to launchpad and so close to regular breakage and so on.
> > >> Is there any way to make this less hackish than screenscraping and get a
> > >> proper way?
> > >
> > > I don't know the background (like why this is hard to add to an API)
> > > but perhaps there is a middle ground of using XQuery or similar
> > > against a Launchpad page, and adding microformat data into the page
> > > template?  Or is the problem that CoC-signing implies doing an email
> > > GPG transaction?
> > 
> > Poking into this a little bit it seems the actual work needed on
> > Launchpad is <https://bugs.edge.launchpad.net/launchpad-registry/+bug/568981>
> > and <https://bugs.edge.launchpad.net/launchpad-registry/+bug/568982>,
> > wanting to set gpg and ssh keys via the API?  So readonly-oriented
> > structural screenscraping is not a great alternative.
> > 
> > I would guess it would be fairly easy to add those APIs by cargo culting others?
> > 
> 
> Thanks for your answer,
> 
> When jml and I added the gpg/ssh read-only mode 5 months ago to
> Launchpad API (and it wasn't so easy ;)), the second step was the write
> mode.
> We poked on #launchpad-dev and it seems that the fix for those is not
> easy at all (I'm not familiar enough with LP internals to understand the
> pros and cons), but that it can't be tackle in an easy way. That's why
> we had a session at UDS  (for the opportunistic dev stuff), but
> unfortunately, no solution seems to be possible (invoking security
> issues that can be workaround by screenscrapping in any case).

The code of the basic write implementation is simple. However,
difficulty arises when we consider that normal API applications probably
shouldn't be able to touch other authentication tokens. It is intended
that one should be able to stop a rogue application by simple revoking
its OAuth token; if applications were permitted to add new SSH and
OpenPGP keys, they could add backdoors that would not be closed using
normal means.




Follow ups

References