=== Guest52828 is now known as StevenK | ||
stub | wgrant: So I was wondering if that it isn't so much for security, but to ensure requests are not accidently processed twice, eg. when a client retries a request unnecessarily. I don't think we need to care about that, as our calls are idempotent? | 06:46 |
---|---|---|
stub | wgrant: The person to ask about the security side would be the security team, since they spend all their time thinking about this stuff. | 06:46 |
wgrant | stub: If it was to avoid accidental double-processing it wouldn't apply to GETs. | 06:51 |
stub | wgrant: OAuth doesn't dictate that GETs are idempotent, does it? That is just sanity, not the spec. | 06:52 |
wgrant | stub: The OAuth spec says that nonces and timestamps aren't used for PLAINTEXT. | 06:52 |
wgrant | So it would have to be local, non-RFC reasoning | 06:52 |
wgrant | And our GETs are idempotent. | 06:52 |
stub | yeah, anyway, that is the best I can come up with. | 06:53 |
wgrant | Hmm | 06:54 |
wgrant | Oh | 06:54 |
wgrant | I guess some people still had that "wouldn't it be great if we let everyone not use TLS" braindeadness back then. | 06:54 |
wgrant | So perhaps they envisaged non-PLAINTEXT signatures in the future. | 06:55 |
wgrant | But it's not 1997, so that's not a concern any more. | 06:56 |
stub | -According to the oauth specification <http://oauth.net/core/1.0/#nonce>, for a | 07:02 |
stub | 181-given client, an application should not accept a timestamp older than the most | 07:02 |
stub | 182-recent timestamp received. | 07:02 |
stub | That is an interesting property that we lose | 07:02 |
stub | Only reduces the window from a security pov. I guess clients don't really care - if they resend requests, it is by choice. | 07:04 |
wgrant | stub: We always left a more liberal window anyway | 07:05 |
wgrant | A full minute, in fact | 07:06 |
wgrant | So unless a client is buggily retrying requests more than a minute later, nothing changes. | 07:06 |
stub | wgrant: Go for it from my POV. Maybe run it by the security team to see if they have any rationale for keeping it. | 07:12 |
wgrant | stub: Thanks. | 07:14 |
=== Ursinha is now known as Ursinha-afk | ||
=== Ursinha-afk is now known as Ursinha | ||
wgrant | cprov__: https://code.launchpad.net/~wgrant/launchpad/bug-1201984/+merge/225011 | 14:14 |
cprov__ | wgrant: on it | 14:16 |
=== cprov__ is now known as cprov | ||
cprov | wgrant: are you sure is_enabled is equivalent to lp.Append in this context ? | 14:21 |
cprov | wgrant: I mean, won't we list PPA alternatives for which the user cannot upload to (exception will be raised, I presume) | 14:22 |
wgrant | cprov: It doesn't have to be exactly equivalent. getPPAsForUser just has to approximate it; the permission check is done properly later and the copy will be rejected. | 14:23 |
wgrant | The permission check could also fail today, eg. if the permission was revoked between the request and the running of the job. | 14:24 |
cprov | wgrant: true, the permission check is delegated to the job itself. | 14:24 |
cprov | wgrant: I think users are already used to check copy results in the destination PPA, but that will certainly make it more importantly. | 14:31 |
wgrant | They can fail for heaps of different reasons. | 14:34 |
wgrant | This is a pretty rare one. | 14:34 |
wgrant | Thanks. | 14:34 |
=== tasdomas` is now known as tasdomas | ||
=== Ursinha is now known as Ursinha-afk | ||
=== Ursinha-afk is now known as Ursinha |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!