[06:46] <stub> wgrant: So I was wondering if that it isn't so much for security, but to ensure requests are not accidently processed twice, eg. when a client retries a request unnecessarily. I don't think we need to care about that, as our calls are idempotent?
[06:46] <stub> wgrant: The person to ask about the security side would be the security team, since they spend all their time thinking about this stuff.
[06:51] <wgrant> stub: If it was to avoid accidental double-processing it wouldn't apply to GETs.
[06:52] <stub> wgrant: OAuth doesn't dictate that GETs are idempotent, does it? That is just sanity, not the spec.
[06:52] <wgrant> stub: The OAuth spec says that nonces and timestamps aren't used for PLAINTEXT.
[06:52] <wgrant> So it would have to be local, non-RFC reasoning
[06:52] <wgrant> And our GETs are idempotent.
[06:53] <stub> yeah, anyway, that is the best I can come up with.
[06:54] <wgrant> Hmm
[06:54] <wgrant> Oh
[06:54] <wgrant> I guess some people still had that "wouldn't it be great if we let everyone not use TLS" braindeadness back then.
[06:55] <wgrant> So perhaps they envisaged non-PLAINTEXT signatures in the future.
[06:56] <wgrant> But it's not 1997, so that's not a concern any more.
[07:02] <stub> -According to the oauth specification <http://oauth.net/core/1.0/#nonce>, for a
[07:02] <stub> 181	-given client, an application should not accept a timestamp older than the most
[07:02] <stub> 182	-recent timestamp received.
[07:02] <stub> That is an interesting property that we lose
[07:04] <stub> Only reduces the window from a security pov. I guess clients don't really care - if they resend requests, it is by choice.
[07:05] <wgrant> stub: We always left a more liberal window anyway
[07:06] <wgrant> A full minute, in fact
[07:06] <wgrant> So unless a client is buggily retrying requests more than a minute later, nothing changes.
[07:12] <stub> wgrant: Go for it from my POV. Maybe run it by the security team to see if they have any rationale for keeping it.
[07:14] <wgrant> stub: Thanks.
[14:14] <wgrant> cprov__: https://code.launchpad.net/~wgrant/launchpad/bug-1201984/+merge/225011
[14:16] <cprov__> wgrant: on it
[14:21] <cprov> wgrant: are you sure is_enabled is equivalent to lp.Append in this context ?
[14:22] <cprov> wgrant: I mean, won't we list PPA alternatives for which the user cannot upload to (exception will be raised, I presume)
[14:23] <wgrant> cprov: It doesn't have to be exactly equivalent. getPPAsForUser just has to approximate it; the permission check is done properly later and the copy will be rejected.
[14:24] <wgrant> The permission check could also fail today, eg. if the permission was revoked between the request and the running of the job.
[14:24] <cprov> wgrant: true, the permission check is delegated to the job itself.
[14:31] <cprov> wgrant: I think users are already used to check copy results in the destination PPA, but that will certainly make it more importantly.
[14:34] <wgrant> They can fail for heaps of different reasons.
[14:34] <wgrant> This is a pretty rare one.
[14:34] <wgrant> Thanks.