launchpad-dev team mailing list archive

Thread
Date

Re: Fwd: [Fwd: Quickly and Launchpad]

To: William Grant <wgrant@xxxxxxxxxx>
From: Didier Roche <didrocks@xxxxxxxxxx>
Date: Fri, 25 Jun 2010 08:28:06 +0200
Cc: Launchpad Community Development Team <launchpad-dev@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <1277446603.2476.2.camel@magrathea.qeuni.net>

Le vendredi 25 juin 2010 à 16:16 +1000, William Grant a écrit :
> The code of the basic write implementation is simple. However,
> difficulty arises when we consider that normal API applications probably
> shouldn't be able to touch other authentication tokens. It is intended
> that one should be able to stop a rogue application by simple revoking
> its OAuth token; if applications were permitted to add new SSH and
> OpenPGP keys, they could add backdoors that would not be closed using
> normal means.
> 

My point is that people are already able to do to that with
screenscrapping (see GoundControl for instance), I don't really
understand why exposing those to API is more or less a security issue
there when people click on "change everything".
Or do you mean that adding gpg or ssh key writable to API is opening
other backdoor than the site itself doesn't enable?

Follow ups

Re: Fwd: [Fwd: Quickly and Launchpad]
From: William Grant, 2010-06-25

References

Fwd: [Fwd: Quickly and Launchpad]
From: Jonathan Lange, 2010-06-24
Re: Fwd: [Fwd: Quickly and Launchpad]
From: Martin Pool, 2010-06-25
Re: Fwd: [Fwd: Quickly and Launchpad]
From: Martin Pool, 2010-06-25
Re: Fwd: [Fwd: Quickly and Launchpad]
From: Didier Roche, 2010-06-25
Re: Fwd: [Fwd: Quickly and Launchpad]
From: William Grant, 2010-06-25