launchpad-users team mailing list archive

[Leonard Richardson <leonard.richardson@xxxxxxxxxxxxx>]

I don't care about no-anonymous-access one way or another, but mandatory
OAuth signing is one of those decisions that was made a long time
ago--for reasons I don't remember but which were strong enough to
override my not caring--and would need to be explicitly revisited.

> The web service api has space for an application key - surely that, or
> source ip block, is the right way to throttle it, if we're getting hit
> too much?

The application key throttle is for applications that are buggy or
abusive, no matter how many people are using them.

The IP throttle is for IPs that generate excessive traffic, no matter
how many people come through that IP or what applications they use.

The consumer key throttle is for accounts that generate excessive
traffic, no matter how many IPs or applications they use to do it.

If a bunch of people use an OAuth key associated with a bugmenot account
(not that it matters, but bugmenot doesn't currently list any OAuth
keys) and they collectively don't trigger the throttle, that's fine. If
they trigger the throttle and they're okay with the slower access,
that's fine. If they trigger the throttle and decide to create new
accounts to get faster access, that's fine.

It's not intended to be a bulletproof system or to track people in a
draconian way, just to stop casual abuse and minor accidents.

Leonard

Attachment: signature.asc
Description: This is a digitally signed message part