Dashboard API authentication issues
zygmunt.krynicki at linaro.org
Thu Oct 14 07:49:11 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
W dniu 14.10.2010 04:19, Michael Hudson pisze:
> It has to be said, I'm not sure the aesthetic appeal of oauth outweigh
> these costs. It smells a bit overengineered.
>> 1) We need to allow users to authenticate before we allow them to upload
>> test results (bundles) to certain directories (bundle streams) in a
>> simple and efficient manner (client side code matters)
> Is this all we want? As salgado asked in another mail, where is this
> API going?
Currently that's the only thing we _require_. We will want more things
but I'd like to solve one problem at a time.
>> 2) Currently our only client is abrek
> Is this going to change?
Most likely it's going to grow to more programs. I'd like to ship an
official client-side library that programs like abrek can use to be
isolated from how we do stuff internally.
>> 3) We'd like to offer this very quickly, definitely before the UDS
> I don't think we should allow time pressures to force us into a bad
> decision. That said, I'm not sure the decision being made here is
> necessarily that bad to get "wrong" at this stage.
While I agree I also value the act of shipping useful stuff even if we
need to clean some bits up later on. Having said that, I don't think the
"bad" scenario is that wrong either.
>> Having said that let's look at the options we have:
>> A) Continue hacking oauth in good faith that it'll work as intended
>> without falling apart/being insecure/being hard to deploy/missing deadlines.
> I think the tone of your voice suggests you don't like this plan :-)
If I used oauth before and knew if like the back of my hand I'd be more
optimistic here. My primary concern is that 1) we'll miss deadline 2)
it's not going to be pretty on the client side 3) we'll get it wrong
>> Some other points to consider:
>> 1) Offspring nee lexbuilder also has an XML-RPC interface (cody, please
>> correct me if I'm wrong) and we should align the technology if
> I don't really see the value in this, tbh.
If cody has to solve the same problem then we could at least share the
solution later on.
> Given that UDS is so soon, is there much value on working on it
> furiously before UDS, where the real requirements might become clear?
> Having authentication doesn't seem a requirement for doing demos at the
> summit to me.
I think it solves an important aspect of having some sensibility to how
we push our data. Currently anyone can push anything anywhere. That's
just bad IMHO. It's not devastating but not something I'd like to give.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the linaro-dev