ubuntu-phone team mailing list archive

[Rodney Dawes <rodney.dawes@xxxxxxxxxxxxx>]

On Mon, 2014-11-17 at 08:40 -0600, Jamie Strandboge wrote:
> The review tools are correctly setting this for manual review because adding a
> provider/qml-plugin to online extends online accounts in a manner that cannot be
> automatically reviewed and because this code runs in a different security
> context than the click app.
> 
> Are you sure you want to add a new provider and qml-plugin for other apps on the
> system to use? If so, that's ok, but this will require a manual review for each
> upload. (An alternative would be to work with the online accounts team to try to
> make your provider and plugin official).

I personally don't mind if they need review, due to additional security
concerns. I don't think we should try to make every provider an
"official" provider though in the upstream account-plugins package. It
would be better to keep that set of providers as small as reasonably
possible, I think.

However, I think even the "official" providers for Online Acocunts
should eventually become click packages for each provider. If an
upstream (Google, AOL, Yahoo, whomever) decides to change what URL the
OAuth should be grabbed from, or similar, a click package would let us
have the update out in a matter of minutes. With the providers being
part of the system image, though, it means we'd have to do all th e
extra work that comes with building a system image and pushing it out as
an update to users.

Granted, this hasn't been a big problem for the phone image yet, but
services breaking authentication schemes has been an issue in the past
for Pidgin and others.