On Thu, 21 Dec 2023 22:15:02 -0500 Richard wrote:
> Maybe your full proposal would be good, if suppliemented with a
> concrete explanation of "API key".

there is no reason to specify the special use-case of a package manager - the
current criteria clearly covers that, and any other use-case involving access
the data

> Allows visitors to look and download without authenticating. (A+0)

maybe "visitors" is seen as too specific? - this wuld be a clarification

> Allows viewing and downloading source code without authenticating. (A+0)

the issue that aaron raised relates to the authentication procedure itself -
that is orthogonal to whether or not access to the data requires authentication


On Thu, 21 Dec 2023 22:15:02 -0500 Richard wrote:
> Are these keys also called "application keys"?  I have heard of that
> term.  Each application is supposed to have and send its own key,
> different from that of every other application.

an "application key" is very similar to an "API key" - the terms are often used
interchangeably, though they should not be - the main difference is that an
"application key" is acquired by the author or distributor and embedded into
the distributed program (ie: the same key for all users of that distro); where
an "API key" is expected to be acquired by each individual users - in such
cases the program in distros usually does not work unless the user supplies a
unique key manually

so an API key is simply a personal authorization token - nothing more
substantial than a password - it grants API access to website features, usually
only the features which would normally require authorization via the website -
features which do not require authorization via the website are generally
available via the API without an auth token

that is why i simply re-posted my previous comment about A+0 - A+0 is the
expected norm - it is barely worth mentioning, other than to be pedantic
- it would be difficult to find any forge which hides it's data behind an auth
wall - to fail A+0 effectively means that the forge is private - most people
would not use a forge which fails A+0 - A+0 could be elevated to the essential
C level without affecting the standing of any current forge on the list

Reply via email to