On 23/09/2020 20:51, Tom Morris wrote:
> Antonin - Can you provide a link to the documentation that you're
> talking about? Is the process manual or automated? If it's manual, we
> need to automate it. e.g. there's a secrets.txt file (or env variable,
> etc) that's optional for non-release builds, but mandatory for release
> builds.
The release process is described here:
https://github.com/OpenRefine/OpenRefine/wiki/Releasing-Version
>
> I'm inclined to stick with the current scheme until we are forced to
> switch
Yes, I am fine with leaving things in this state - the worst that can
happen is that suddenly the Google extension stops working. It's not
great but it is not going to jeopardize anything else.
> - Give up on server access and download to the client and then upload to
> the server so that all the authentication can be done client side.
> Obviously not very efficient, but might be the path of least resistance
I don't understand what you mean. If what you mean is changing the share
of responsibilities between the frontend and the backend, I do not see
how that can solve the problem: we need to ship the frontend and backend
code to the user, so secrets will be embedded there somehow.
Another option would be to run our own web service which would act as a
proxy between OpenRefine and the Google APIs - the credentials would
only need to be stored in that web service. But beyond the fact that it
requires more maintenance, it also means that we can see user data
flowing through that - not great for privacy I would say. And I suspect
that such a service would violate the TOS in the same way - we'd be
providing an open proxy to let anyone bypass their OAuth registration
process…
Antonin
>
> On Wed, Sep 23, 2020 at 12:24 PM Antonin Delpeuch (lists)
> <
li...@antonin.delpeuch.eu <mailto:
li...@antonin.delpeuch.eu>> wrote:
>
> Hi all,
>
> The released artifacts for 3.4 miss the Google credentials. Sorry about
> that, I forgot to add them (it was not mentioned in the documentation,
> so I have fixed that).
>
> I propose we release a 3.4.1 with that fix (which does not need a PR
> since it is not something we commit anyway).
>
> Alternatively I can also update the artifacts on the existing release.
>
> As a reminder, it is a bad practice to add API keys in this way to
> releases, since those credentials are not supposed to be communicated to
> users. Sadly, given the way OAuth works, this is the only way we can
> ship something workable to users (otherwise they would have to apply for
> Google API credentials on their own, which is a pretty lengthy process).
> If anyone is aware of a better solution to this problem, I am very
> interested.
>
> Sorry again for this oversight!
> Antonin
>
> --
> You received this message because you are subscribed to the Google
> Groups "OpenRefine Development" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to
openrefine-de...@googlegroups.com
> <mailto:
openrefine-dev%2Bunsu...@googlegroups.com>.
> --
> You received this message because you are subscribed to the Google
> Groups "OpenRefine Development" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to
openrefine-de...@googlegroups.com
> <mailto:
openrefine-de...@googlegroups.com>.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/openrefine-dev/CAE9vqEFoE_2xHHiyLJvX1nS2Wn8jBr-Ykbfn9%3DvmpAAVDLXiXA%40mail.gmail.com
> <
https://groups.google.com/d/msgid/openrefine-dev/CAE9vqEFoE_2xHHiyLJvX1nS2Wn8jBr-Ykbfn9%3DvmpAAVDLXiXA%40mail.gmail.com?utm_medium=email&utm_source=footer>.