As it was explained to me (I think the API team would do well by discussing this stuff out in the open so we don't have to answer for them), the concern is having keys available in plain text. with OSS, you have that in 1, and potentially 2, situations:
1: Source code distributions/repos 2: end-user packages of non-compiled apps (like apps based on Python or JavaScript) The answer to #1 is to not include your keys in the source. That's fine for me. The answer to #2 is to either obfuscate your code (compiling, or intentional obfuscation) or to not include any consumer keys/secrets, and just use the above API. -- Ed Finkler http://funkatron.com @funkatron AIM: funka7ron / ICQ: 3922133 / XMPP:[email protected] On Jun 12, 4:59 am, Jef Poskanzer <[email protected]> wrote: > I don't understand why you are suggesting this only for open source > programs. Were you thinking that an attacker would be incapable of > decompiling an executable and extracting the secret?
