Comments (11)
The plan is to finish this in january
from flathub.
I don't think that'd make a measurable difference, but it could be a strategy to obscure if needed. @ramcq suggested:
could we provision a flathub worker gpg key, which is copied onto each worker and could decrypt stuff which you encrypt to that key? and it can be copied over to the worker from the master
Which would be a longer term solution. For now, I'll just put the key in the manifest and revoke it if there are issues.
from flathub.
We need something like this for the future FeedReader in order to build Feedly plugin. Currently, we use some env vars defined in the manifest that we replace with the ones defined on Gitlab CI.
I think the best way to resolve this is to have the possibility to define env variables in flathub.org/ and be able to use them on the manifest.
from flathub.
I'm still not sure what this accomplishes. Users will always be able to pull the key out of feedreader. So in the end this is just obfuscation to stop crawlers which can be done any way you want.
from flathub.
Well, it's the difference between leaving the door unlocked and open and having a spare key somewhere hidden in the yard.
I'm about to release a first beta of NewsFlash and was hoping this would by now be possible.
The problem with the feedly API secret is that feedly is extremely strict about handing them out. For now I am using one that could be found in the code of an old Sailfish OS application. But ideally I want to apply for a unique secret.
For FeedReader, where the secret is simply in the code, my application got denied. Granted for not specified reasons. But not leaking the secret in a too obvious way is for sure part of getting one.
So my only option if I still want to apply to get a secret is have a non working feedly backend in the flathub build.
edit: in the gitlab CI pipeline we use two environment variables that can only be accessed by members of the project. That seems to work well for us so far.
from flathub.
If you just want to stop web crawlers finding it maybe store it in the manifest encoded in like base64 and decode it as part of the build process?
from flathub.
Well once the key is in the application the user can always extract it...
The only value I can think of is as I said, avoiding scrapers on github and I don't think we need actual encryption to do that.
from flathub.
Any updates on this issue?
Maybe implement something similar to Github's ?
from flathub.
This will be mitigated, by allowing external builds.
from flathub.
I'd need this as well for Karapulse's Spotify application key.
from flathub.
in the gitlab CI pipeline we use two environment variables that can only be accessed by members of the project. That seems to work well for us so far.
The gitlab solution also takes care of censoring the secrets from the build logs, so they don't accidentally appear there.
from flathub.
Related Issues (20)
- EOL beta branch for ru.linux_gaming.PortProton HOT 1
- Please add upstream author to org.rncbc.qsynth HOT 1
- Archive `io.gitlab.gregorni.Calligraphy` HOT 4
- License violation and suspicious app on Flathub HOT 71
- Shotcut | Build #100288 held for review HOT 2
- Add a "Packaged by" field HOT 1
- Add maintainer for dev.vencord.Vesktop HOT 2
- Download of module fail: unknown compression HOT 1
- Corrupted download cache on builders HOT 1
- Please add MackBambu as maintainer for com.bambulab.BambuStudio HOT 2
- Flatpak build failing due to -lstdc++fs HOT 2
- 50% of apps use developer name for the app name? HOT 2
- Download failure (aarch64 builders)
- [Tracking]: Apps with trademark violations
- The app is not developed in the open HOT 12
- Transfer ownership/maintainership of com.parsecgaming.parsec HOT 9
- [Bug]: Flathub doesn't update in Ubuntu Touch HOT 1
- Image too large (512x525). Max. size 512x512 Export failed HOT 1
- Please add ebassi as maintainer for org.gnome.OfficeRunner HOT 1
- Outdated package (vulnerable): org.turbowarp.TurboWarp
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from flathub.