using API keys in the FreeBSD Chromium port
George Liaskos
geo.liaskos at gmail.com
Thu May 30 19:45:23 UTC 2013
>
>
> - Don't ship the port with a key. Instead, require the builder
> (currently everyone who runs FreeBSD) to acquire one for themselves.
> When the key is not present, don't build the features that requires an
> API key.
> - On FreeBSD package building cluster (as well as PC-BSD ones),
> deploy the "official" key and make binaries there.
>
> I don't see how this would even work as expected, though: the key is
> embedded in the binary and thus anyone who can run the binary and have
> debugging tools would be able to extract it. This situation is
> totally different from normal OAuth scenario, where API key is
> deployed on servers and protected from being accessed by average
> users, and the API provider can easily block misbehaving client when
> the key is "stolen".
I may be wrong but i don't think that this is feasible, you can not expect
every enduser to generate keys so he can use the browser.
We just need a key that will be "blessed" as official for FreeBSD, just
like Debian [0], Gentoo [1], Arch [2] and others have done.
[0]
http://anonscm.debian.org/gitweb/?p=pkg-chromium/pkg-chromium.git;a=blob;f=debian/rules;hb=HEAD
[1]
http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/www-client/chromium/chromium-9999-r1.ebuild?view=markup
[2]
https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/chromium
More information about the freebsd-chromium
mailing list