I don't care about no-anonymous-access one way or another, but mandatory OAuth signing is one of those decisions that was made a long time ago--for reasons I don't remember but which were strong enough to override my not caring--and would need to be explicitly revisited. > The web service api has space for an application key - surely that, or > source ip block, is the right way to throttle it, if we're getting hit > too much? The application key throttle is for applications that are buggy or abusive, no matter how many people are using them. The IP throttle is for IPs that generate excessive traffic, no matter how many people come through that IP or what applications they use. The consumer key throttle is for accounts that generate excessive traffic, no matter how many IPs or applications they use to do it. If a bunch of people use an OAuth key associated with a bugmenot account (not that it matters, but bugmenot doesn't currently list any OAuth keys) and they collectively don't trigger the throttle, that's fine. If they trigger the throttle and they're okay with the slower access, that's fine. If they trigger the throttle and decide to create new accounts to get faster access, that's fine. It's not intended to be a bulletproof system or to track people in a draconian way, just to stop casual abuse and minor accidents. Leonard
Attachment:
signature.asc
Description: This is a digitally signed message part
This is the launchpad-users mailing list archive — see also the general help for Launchpad.net mailing lists.
(Formatted by MHonArc.)