github OAuth authentication need ?
Sandro Tosi
morph at debian.org
Mon Nov 23 16:36:36 UTC 2015
On Mon, Nov 23, 2015 at 4:31 PM, Olivier Berger
<olivier.berger at telecom-sudparis.eu> wrote:
> Sandro Tosi <morph at debian.org> writes:
>
>> On Mon, Nov 23, 2015 at 3:26 PM, Olivier Berger
>> <olivier.berger at telecom-sudparis.eu> wrote:
>>> I'm not sure I understand the need for authenticating to github, though,
>>> as we're doing only read-only queries and some kind of throttling.
>>>
>>> Can you share a bit more details ?
>>
>> if you're not authenticated, then you get rate-limited; there some
>> link out there that describes it in details, dont remember the exact
>> url tho
>>
>
> OK, found it : https://developer.github.com/v3/#rate-limiting
>
>>> I'd like to make the token configurable in the yaml file (and possibly
>>> document its generation) but I'm in doubt about its actuall need.
>>
>> it's not different than all the other auth methods we use in the other btses
>>
>
> Well, they might as well move to the config file if needed ;-)
I'm considering changing all the passwords/tokens, remove them from
the python files and store them in a 600 file on sonntag only.
>
>>> In any case something should be done to either regenerate a token or
>>> make rid of it in the running instance of the code on sonntag :-/
>>
>> nope the token must be there, and cannot be regenerated easily (you
>> have to do the github webpage and blabla)
>>
>
> Yes, I think the easiest way is under :
> https://github.com/settings/tokens/new probably selecting the most
> minimal set of permissions... not sure about which, exactly.
>
>>> Thanks in advance, and sorry for the mess we might have caused.
>>
>> please have your students change that token, and please change it also
>> in the code you run yourself. that would also apply to the other btses
>> requiring authentication. only the bts on debian machines should use
>> those login/pwd (yeah ok they are stored publicly, that doesnt mean
>> the real bts needs to suffer from other tests if the user we use got
>> banned/limited/suspended/etc)
>>
>
> Right.
>
> I'll do and tell my students.
make also sure they actually do it - opening bugs is not enough :)
> Also, I'll check whether there's a proper documentation on how to
> regenerate a token, possibly programmatically.
>
> Also, for tests, I guess caching would be interesting. I'll try and
> check if that could be achieved with minimal effort.
yeah definitely, BTSes gets upset pretty quickly, and they see the
user agent of bts-link....
Regards,
--
Sandro Tosi (aka morph, morpheus, matrixhasu)
My website: http://matrixhasu.altervista.org/
Me at Debian: http://wiki.debian.org/SandroTosi
More information about the Bts-link-devel
mailing list