Bug#823004: gplaycli: sensitive information in config file

2017-08-26 Thread Antonio Ospite
On Wed, 23 Aug 2017 14:00:55 +0200 Matlink wrote: > Well, this issue has been fixed in the github repository since the > version 0.2.2 of gplaycli. Instead of using email and password for > credentials, gplaycli will fetch a server to get a token that will be > used for

Bug#823004: gplaycli: sensitive information in config file

2017-08-23 Thread Matlink
Well, this issue has been fixed in the github repository since the version 0.2.2 of gplaycli. Instead of using email and password for credentials, gplaycli will fetch a server to get a token that will be used for further authentication. Thus, gplaycli no longer needs to ship sensitive informations

Bug#823004: gplaycli: sensitive information in config file

2017-08-23 Thread Antonio Ospite
Package: gplaycli Version: 0.2.1-1 Followup-For: Bug #823004 Dear Maintainer, Ping. See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871828 I verified that newer versions work fine by cloning the upstream git repo and running ./gplaycli/gplaycli using the debian dependencies of the

Bug#823004: gplaycli: sensitive information in config file

2017-03-27 Thread Paul Wise
On Mon, 2017-03-27 at 14:57 +0200, Matlink wrote: > A token authentication is now privided. By default, gplaycli will > retrieve a token from a server I control, and use it to talk with the > Google servers. Seems like a reasonable compromise. I think you probably want to drop gmail_password

Bug#823004: gplaycli: sensitive information in config file

2017-03-27 Thread Matlink
The new version (https://github.com/matlink/gplaycli/releases/tag/0.2.2) fixes this issue. A token authentication is now privided. By default, gplaycli will retrieve a token from a server I control, and use it to talk with the Google servers. In that way, username and password are not used

Bug#823004: gplaycli: sensitive information in config file

2016-12-01 Thread Paul Wise
On Wed, 2016-11-09 at 12:42 +0800, Paul Wise wrote: > I suggest this bug report be closed wontfix. This bug has now caused gplaycli to be removed from Debian stretch. Is there any progress to report? -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a

Bug#823004: gplaycli: sensitive information in config file

2016-11-13 Thread Paul Wise
On Sun, 2016-11-13 at 10:53 +0100, Matlink wrote: > Another solution would be to tell gplaycli to fetch the credentials > from a server. In this case, when the credentials are changed, I just > have to change this file on the server and every instance of gplaycli > will fetch this file and have

Bug#823004: gplaycli: sensitive information in config file

2016-11-13 Thread Matlink
Another solution would be to tell gplaycli to fetch the credentials from a server. In this case, when the credentials are changed, I just have to change this file on the server and every instance of gplaycli will fetch this file and have the new credentials. Pros: * no need to update gplaycli

Bug#823004: gplaycli: sensitive information in config file

2016-11-09 Thread matlink
If we could automatically create a Google account through command line it would be an acceptable solution. Le 09/11/2016 à 09:53, matlink a écrit : > I understand. We're looking for a solution that won't remove them and > prevent anyone except me to change the password. > > > Le 09/11/2016 à

Bug#823004: gplaycli: sensitive information in config file

2016-11-09 Thread matlink
Why? Creating a Google account would make gplaycli work. Is that for privacy? Le 09/11/2016 à 10:18, Paul Wise a écrit : > On Wed, 2016-11-09 at 10:17 +0100, matlink wrote: > >> If we could automatically create a Google account through command >> line it would be an acceptable solution. > That

Bug#823004: gplaycli: sensitive information in config file

2016-11-09 Thread Paul Wise
On Wed, 2016-11-09 at 10:17 +0100, matlink wrote: > If we could automatically create a Google account through command > line it would be an acceptable solution. That wouldn't be interesting to me. Only a shared account is useful. -- bye, pabs https://wiki.debian.org/PaulWise signature.asc

Bug#823004: gplaycli: sensitive information in config file

2016-11-09 Thread matlink
I understand. We're looking for a solution that won't remove them and prevent anyone except me to change the password. Le 09/11/2016 à 09:43, Paul Wise a écrit : > On Wed, 2016-11-09 at 08:20 +0100, Matlink wrote: > >> there is a potential big issue with providing default credentials > The

Bug#823004: gplaycli: sensitive information in config file

2016-11-09 Thread Paul Wise
On Wed, 2016-11-09 at 08:20 +0100, Matlink wrote: > there is a potential big issue with providing default credentials The default shared credentials are the main advantage of this package. I wouldn't have any reason to use it without them. -- bye, pabs https://wiki.debian.org/PaulWise

Bug#823004: gplaycli: sensitive information in config file

2016-11-08 Thread Matlink
agree, but there is a potential big issue with providing default credentials : the google account will be subject to password change, and the more the package is used the more often this password will be changed. Password change means for me reset the password, update the default credentials

Bug#823004: gplaycli: sensitive information in config file

2016-11-07 Thread Matlink
Re, Le 07/11/2016 à 19:03, Lee Garrett a écrit : > Hi, > > On 07/11/16 17:56, matlink wrote: >> Hi Lee, >> >> Well the main goal for gplaycli was to provide a noconf and very easy to >> use command line for downloading apks. > I totally see the appeal, which is why I'm using it and want to see

Bug#823004: gplaycli: sensitive information in config file

2016-11-07 Thread Hans-Christoph Steiner
dummydroid is already included in Debian :-D I think the best way forward for this issue is for the gplaycli package to leave out the default credentials. Then make it as easy as possible for people to set up the credentials using dummydroid.

Bug#823004: gplaycli: sensitive information in config file

2016-11-07 Thread Lee Garrett
Hi, On 07/11/16 17:56, matlink wrote: > Hi Lee, > > Well the main goal for gplaycli was to provide a noconf and very easy to > use command line for downloading apks. I totally see the appeal, which is why I'm using it and want to see it in good shape in Debian. :) I'm personally working towards

Bug#823004: gplaycli: sensitive information in config file

2016-11-07 Thread matlink
Hi Lee, Well the main goal for gplaycli was to provide a noconf and very easy to use command line for downloading apks. Creating a google account is for some people not the best idea, because they either disagree with their ToS or they don't want to give Google too many infos (AFAIK Google

Bug#823004: gplaycli: sensitive information in config file

2016-11-07 Thread Lee Garrett
Package: gplaycli Followup-For: Bug #823004 Hi Matlink, the way gplaycli is shipped makes it problematic for several reasons: - Sharing account passwords violates Google's ToS - Someone could abuse that account for spamming via gmail, prompting Google to disable the account - Everyone can

Bug#823004: gplaycli: sensitive information in config file

2016-05-02 Thread matlink
Well, quite normal since I provide default credentials not to bother with AndroidID generation (which is very annoying to generate). Le 29/04/2016 22:52, Ingo Kabus a écrit : > Package: gplaycli > Version: 0.1.2+git15~g20f65ca-1 > Severity: normal > > Dear Maintainer, > > you ship your gmail

Bug#823004: gplaycli: sensitive information in config file

2016-04-29 Thread Ingo Kabus
Package: gplaycli Version: 0.1.2+git15~g20f65ca-1 Severity: normal Dear Maintainer, you ship your gmail credentials in the configuration file. Please ask the user to enter his own credentials during package installation. -- System Information: Debian Release: stretch/sid APT prefers testing