← Back to team overview

launchpad-dev team mailing list archive

Re: Fwd: [Fwd: Quickly and Launchpad]

 

Le vendredi 25 juin 2010 à 16:16 +1000, William Grant a écrit :
> The code of the basic write implementation is simple. However,
> difficulty arises when we consider that normal API applications probably
> shouldn't be able to touch other authentication tokens. It is intended
> that one should be able to stop a rogue application by simple revoking
> its OAuth token; if applications were permitted to add new SSH and
> OpenPGP keys, they could add backdoors that would not be closed using
> normal means.
> 

My point is that people are already able to do to that with
screenscrapping (see GoundControl for instance), I don't really
understand why exposing those to API is more or less a security issue
there when people click on "change everything".
Or do you mean that adding gpg or ssh key writable to API is opening
other backdoor than the site itself doesn't enable?





Follow ups

References