[Bug 387297] [NEW] manage-credentials should not ask for Launchpad password directly

[Leonard Richardson]

Public bug reported:

Binary package hint: ubuntu-dev-tools

OAuth protects against phishing attacks, but only if we train users not
to enter their Launchpad password unless 1) they're in their web
browser, 2) their browser is pointed at *.launchpad.net. Nothing in the
OAuth protocol itself that prevents phishing--it just makes it possible
to educate users.

manage-credentials contains code to get an OAuth credential by,
basically, phishing: asking the user for their Launchpad password and
logging in for them. manage-credentials doesn't store the user's
password or do anything bad with it, but its existence trains users to
give their Launchpad password to anyone who asks for it. It also
prevents users from making a decision of how much they trust the
application they're using.

If it's too difficult to get credentials with launchpadlib, we need to
fix launchpadlib. Subverting our security model is not the answer.

** Affects: ubuntu-dev-tools (Ubuntu)
     Importance: Undecided
         Status: New

-- 
manage-credentials should not ask for Launchpad password directly
https://bugs.launchpad.net/bugs/387297
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs