On Thu, 21 Dec 2023 22:15:02 -0500 Richard wrote: > Maybe your full proposal would be good, if suppliemented with a > concrete explanation of "API key".
there is no reason to specify the special use-case of a package manager - the current criteria clearly covers that, and any other use-case involving access the data > Allows visitors to look and download without authenticating. (A+0) maybe "visitors" is seen as too specific? - this wuld be a clarification > Allows viewing and downloading source code without authenticating. (A+0) the issue that aaron raised relates to the authentication procedure itself - that is orthogonal to whether or not access to the data requires authentication On Thu, 21 Dec 2023 22:15:02 -0500 Richard wrote: > Are these keys also called "application keys"? I have heard of that > term. Each application is supposed to have and send its own key, > different from that of every other application. an "application key" is very similar to an "API key" - the terms are often used interchangeably, though they should not be - the main difference is that an "application key" is acquired by the author or distributor and embedded into the distributed program (ie: the same key for all users of that distro); where an "API key" is expected to be acquired by each individual users - in such cases the program in distros usually does not work unless the user supplies a unique key manually so an API key is simply a personal authorization token - nothing more substantial than a password - it grants API access to website features, usually only the features which would normally require authorization via the website - features which do not require authorization via the website are generally available via the API without an auth token that is why i simply re-posted my previous comment about A+0 - A+0 is the expected norm - it is barely worth mentioning, other than to be pedantic - it would be difficult to find any forge which hides it's data behind an auth wall - to fail A+0 effectively means that the forge is private - most people would not use a forge which fails A+0 - A+0 could be elevated to the essential C level without affecting the standing of any current forge on the list