launchpad-dev team mailing list archive

Thread
Date

Re: Instead of authorizing individual applications against the Launchpad web service, let's authorize the Ubuntu desktop as a whole

To: Benji York <benji.york@xxxxxxxxxxxxx>
From: Robert Collins <robert.collins@xxxxxxxxxxxxx>
Date: Fri, 24 Sep 2010 09:25:04 +1200
Cc: launchpad-dev <launchpad-dev@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <AANLkTimieCA5micE4e78PZvF8W5MoyyHoLTjDgPvCktG@mail.gmail.com>
Sender: robertc@xxxxxxxxxxxxxxxxx

On Fri, Sep 24, 2010 at 8:58 AM, Benji York <benji.york@xxxxxxxxxxxxx> wrote:
> On Thu, Sep 23, 2010 at 4:15 PM, Gavin Panella
> <gavin.panella@xxxxxxxxxxxxx> wrote:
>> If I'm collaborating on, reviewing, or otherwise running a
>> not-expected-to-be-evil-but-not-known-to-be-safe Launchpad API
>> consumer, I'd like to be able to say "please use a read-only token
>> this time instead of the desktop token" to reduce the possibility of
>> mishap. Will that be possible?
>
> It's possible, but probably not what we really want to do.  Here are a
> few scenarios:

I think you have some hidden assumptions in your scenarios; I
interpret them rather differently.

> 1) the app is evil: you're screwed so it doesn't matter if you give it
>   read-only or not

Read-only public data is hardly screwed. Read-only private data may
lead to disclosure but not to privilege escalation. 'Screwed' in this
situation is unliked screwed in life: one can be a little bit screwed
here, and a little bit is better than totally.

> 2) the app only reads data: you're fine, but you would have been find
>   with read/write access anyway

Apps that only read data can be evil too, I don't quite see the
distinction you're trying to draw.

> 3) the app wants to write data: you're fine up until the point the app
>   writes, at which point it dies a horrible death, confusing and
>   irritating the end user

If an App needs to write, it would help for it to clearly say:
 - what it needs to write
 - why it needs to write

And that should be presented on the OAuth authorisation screen. That
is, rather than:
[] ro
[] rw
[] ro private
[] rw private

The dialog might be:
Foo wants rw private access to operate Y/N

This would make it much clearer.

> 4) the app isn't evil but has a bug such that it makes unwanted writes
>   to LP

> The only case where granting a desktop app a read-only token would have
> helped you is 4.

I argue above that this is incorrect: All four cases would benefit by
being able to say how much access is permitted.

> If that case is a big enough concern to do something
> about, it would be better remedied by a launchpadlib API that lets an
> app request read-only access instead of making the user know that a
> particular app only needs read-only access and remembering to choose it
> when prompted by LP.

-Rob

Follow ups

Re: Instead of authorizing individual applications against the Launchpad web service, let's authorize the Ubuntu desktop as a whole
From: Benji York, 2010-09-23

References

Instead of authorizing individual applications against the Launchpad web service, let's authorize the Ubuntu desktop as a whole
From: Leonard Richardson, 2010-09-23
Re: Instead of authorizing individual applications against the Launchpad web service, let's authorize the Ubuntu desktop as a whole
From: Gavin Panella, 2010-09-23
Re: Instead of authorizing individual applications against the Launchpad web service, let's authorize the Ubuntu desktop as a whole
From: Benji York, 2010-09-23