launchpad-dev team mailing list archive

[Didier Roche <didrocks@xxxxxxxxxx>]

Le vendredi 25 juin 2010 à 16:52 +1000, William Grant a écrit :
> On Fri, 2010-06-25 at 08:42 +0200, Didier Roche wrote:
> > Le vendredi 25 juin 2010 à 16:34 +1000, William Grant a écrit :
> > > On Fri, 2010-06-25 at 08:28 +0200, Didier Roche wrote:
> > > > Le vendredi 25 juin 2010 à 16:16 +1000, William Grant a écrit :
> > > > > The code of the basic write implementation is simple. However,
> > > > > difficulty arises when we consider that normal API applications probably
> > > > > shouldn't be able to touch other authentication tokens. It is intended
> > > > > that one should be able to stop a rogue application by simple revoking
> > > > > its OAuth token; if applications were permitted to add new SSH and
> > > > > OpenPGP keys, they could add backdoors that would not be closed using
> > > > > normal means.
> > > > > 
> > > > 
> > > > My point is that people are already able to do to that with
> > > > screenscrapping (see GoundControl for instance), I don't really
> > > > understand why exposing those to API is more or less a security issue
> > > > there when people click on "change everything".
> > > > Or do you mean that adding gpg or ssh key writable to API is opening
> > > > other backdoor than the site itself doesn't enable?
> > > 
> > > If I give an application my SSO email address and password, I expect
> > > them to be able to do anything at all. But applications aren't meant to
> > > request that information -- one reason is that it's a lot harder to
> > > revoke access granted that way, and those credentials have access to a
> > > lot more than just Launchpad. OAuth is meant to be a solution to this.
> > > 
> > > I think perhaps an additional access mode which permits alteration of
> > > authentication tokens could work. We already need more flexibility in
> > > that area.
> > > 
> > 
> > Here is what GC does:
> > it opens a browser windows embeeded in webkit widget to get the
> > credential and cookie. It think from user point of view, they don't see
> > the difference from that that regular launchpad applications that uses
> > the API to open the request in a real webbrowser window. So my remark on
> > the fact it's not real security.
> > 
> > Well, I'm still puzzled and don't know what to do for Quickly: again, if
> > I can work with you guys to have the "good way", like done with jml on
> > gpg/ssh access last cycle, I'm all in favor for that. I just realized
> > last cycle than hacking on LP was time consuming and quite hard when you
> > don't know the rationale :)
> 
> Applications should be able to mutate SSH and OpenPGP keys through the
> API, if the user wants them to do so. But it needs to be an explicit
> decision on the user's part to grant an application that extra
> privilege; it undermines some of the security that OAuth provides, and
> is completely undesirable for most applications.
> 
> I envisage that Quickly should be able to request a token with access to
> other authentication tokens, Launchpad will then confirm that the user
> is OK with that, and everyone will live happily ever after (without
> screenscraping).
> 

Ok, I'm all in favor for that solution. Now, how gets things moving? I
can help as much as I can despite my very little knowledge on Launchpad
(and hacking on it showed me that you have  a lot of required knoledge
first).

Is it doable in your opinion to target that Quickly can get support
(before maverick Feature Freeze) of those things:
- pushing ssh key
- pushing gpg key
- download CoC and push signed one (yes, Quickly will make people read
it before, don't be afraid)
- create a ppa if none available

Didier