[Bug 387297] Re: manage-credentials should not ask for Launchpad password directly
Stephan Hermann
sh at sourcecode.de
Mon Jun 22 06:18:05 UTC 2009
Good morning,
I would like to give my input about the problems with the web browser
oriented "Sign into Launchpad" approach for UI clients.
Actually, I don't think there is a difference between trusting a webbrowser and an UI client. As for leonov, we don't save any passwords somewhere in the code...this is something we need to avoid.
Yes, the password is clear-text in saved in a variable, but only as long as we need it to authenticate to launchpad. Then it's the developers task to remove those bits.
Anyhow, the problem we are approaching is, using the browser or the ui
client, that you need to trust your network infrastructure, so that it
really connects to launchpad and not to e.g. "vi /etc/hosts && <some
internal ip> launchpad.net" or any other dns forgery.
The only way to do that, is to have openID, and to have a possibility to
answer "yes, it's me who wants to sign into launchpad".
The approach with username + password is bad, but having no other chance
to avoid a browser for ui clients, I think our leonov workaround is the
best thing someone can do.
Regards,
\sh
--
manage-credentials should not ask for Launchpad password directly
https://bugs.launchpad.net/bugs/387297
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list