launchpadlib

Bug #532055
Comment #3

Comment 3 for bug 532055

Revision history for this message

Jonathan Lange (jml) wrote on 2010-03-05: Re: Trusted credential-management apps are broken and may be doomed

I just had a chat w/ Rodney Dawes. Here's the summary:
  * ubuntuone-login is a desktop app that does openid dance once and is used to grant permissions to other apps. (the "management" application described above)
  * lucid+1 would be a good time for factoring out some common code
  * We should talk about it at the lucid+1 UDS
  * jml will talk w/ statik about arranging that

Edited IRC transcript:

<jml> I'd like to talk about desktop-based auth* for launchpad at some point
<jml> it sounds like something that is at least vaguely aligned w/ ubuntu one
<jml> but it's also not something that's particularly urgent right now
<dobey> jml: didn't leondardr do some work for that with launchpadlib already?
<jml> dobey, yes, he did.
<jml> dobey, we're going to break it :)
<jml> (his work is a fake browser, this will cease to work when Launchpad consumes openid from providers other than Canonical)
<dobey> jml: yeah, openid pretty much is going to require a web page if we don't control both ends of the connection :-/
<jml> dobey, leonardr & gary are suggesting having a particular desktop application that is specially privileged to grant permissions for other desktop apps
<jml> dobey, so this special application will require a web-based openid login
<jml> the first time, that is, until credentials are invalidated
<jml> but other apps can use it to have a non-web authorization process.
<dobey> jml: that's pretty much exactly what ubuntuone-login is doing
<jml> dobey, see! I knew there was something we had in common :)
<dobey> jml: i would be quite happy for the majority of it to be moved out and made more generic, in the M cycle
<jml> dobey, the M cycle is when we'd be getting around to this, so that works well
<jml> dobey, I wonder what we'd have to do to just be able to use it unmodified
<dobey> jml: well it currently is only set up to get an oauth token for one.ubuntu.com, not launchpad
<dobey> jml: so I guess that's a problem. we also want to have subscription/etc... UI for ubuntu one
<dobey> which launchpadlib shouldn't have to deal with normally
<jml> dobey, by "subscription", you mean something involving people paying money, right?
<dobey> jml: i mean people agreeing to the Ubuntu One TOS, and possibly paying money to upgrade to the paid plan
<dobey> jml: though I suppose new account creation will need to rquire some TOS agreement for LP too perhaps, which would fit in a similar UI
<jml> dobey, we don't have a TOS right now. asking people to sign the COC might be a good idea though.
* jml sniggers
<dobey> jml: not sure how it would all fit together, but perhaps we can get it on the list of blueprints to discuss in Brussels?
<jml> dobey, yeah, that sounds like it would be awesome

Edited IRC transcript:

<jml> I'd like to talk about desktop-based auth* for launchpad at some point
<jml>  it sounds like something that is at least vaguely aligned w/ ubuntu one
<jml>  but it's also not something that's particularly urgent right now
<dobey> jml: didn't leondardr do some work for that with launchpadlib already?
<jml> dobey, yes, he did.
<jml> dobey, we're going to break it :)
<jml> (his work is a fake browser, this will cease to work when Launchpad consumes openid from providers other than Canonical)
<dobey> jml: yeah, openid pretty much is going to require a web page if we don't control both ends of the connection :-/
<jml> dobey, leonardr & gary are suggesting having a particular desktop application that is specially privileged to grant permissions for other desktop apps
<jml> dobey, so this special application will require a web-based openid login
<jml> the first time, that is, until credentials are invalidated
<jml> but other apps can use it to have a non-web authorization process.
<dobey> jml: that's pretty much exactly what ubuntuone-login is doing
<jml> dobey, see! I knew there was something we had in common :)
<dobey> jml: i would be quite happy for the majority of it to be moved out and made more generic, in the M cycle
<jml> dobey, the M cycle is when we'd be getting around to this, so that works well
<jml> dobey, I wonder what we'd have to do to just be able to use it unmodified
<dobey> jml: well it currently is only set up to get an oauth token for one.ubuntu.com, not launchpad
<dobey> jml: so I guess that's a problem. we also want to have subscription/etc... UI for ubuntu one
<dobey> which launchpadlib shouldn't have to deal with normally
<jml> dobey, by "subscription", you mean something involving people paying money, right?
<dobey> jml: i mean people agreeing to the Ubuntu One TOS, and possibly paying money to upgrade to the paid plan
<dobey> jml: though I suppose new account creation will need to rquire some TOS agreement for LP too perhaps, which would fit in a similar UI
<jml> dobey, we don't have a TOS right now. asking people to sign the COC might be a good idea though.
* jml sniggers
<dobey> jml: not sure how it would all fit together, but perhaps we can get it on the list of blueprints to discuss in Brussels?
<jml> dobey, yeah, that sounds like it would be awesome