launchpad-dev team mailing list archive

[Benji York <benji.york@xxxxxxxxxxxxx>]

On Thu, Sep 23, 2010 at 4:15 PM, Gavin Panella
<gavin.panella@xxxxxxxxxxxxx> wrote:
> If I'm collaborating on, reviewing, or otherwise running a
> not-expected-to-be-evil-but-not-known-to-be-safe Launchpad API
> consumer, I'd like to be able to say "please use a read-only token
> this time instead of the desktop token" to reduce the possibility of
> mishap. Will that be possible?

It's possible, but probably not what we really want to do.  Here are a
few scenarios:

1) the app is evil: you're screwed so it doesn't matter if you give it
   read-only or not
2) the app only reads data: you're fine, but you would have been find
   with read/write access anyway
3) the app wants to write data: you're fine up until the point the app
   writes, at which point it dies a horrible death, confusing and
   irritating the end user
4) the app isn't evil but has a bug such that it makes unwanted writes
   to LP

The only case where granting a desktop app a read-only token would have
helped you is 4.  If that case is a big enough concern to do something
about, it would be better remedied by a launchpadlib API that lets an
app request read-only access instead of making the user know that a
particular app only needs read-only access and remembering to choose it
when prompted by LP.

> Btw, that was a really well written explanation of the issue.

Indeed.
-- 
Benji York