Google API Key

classic Classic list List threaded Threaded
37 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: Google API Key

Philip Chee
On 15/06/2013 00:25, Doug Turner wrote:
> Yes, this will be integrated on the releng side.  Details TBD. I have
> reached out to John Oduinn last night.
>
> Yes, every linux distro will need its own key.  This isn't a change.  
> The existing Geolocation contract required non Mozilla produced builds
> to have their own API, iirc.  Also, I should be clear about the future

Is SeaMonkey considered a Mozilla produced build? Because some time back
someone in mozilla-central unconditionally turned on Geolocation for
anything building off mozilla-central/aurora/beta/release (by replacing
a pref with a hardcoded string (I assume "browser=firefox&sensor=true"
is the API key because I can't find anything else that resembles a API
key). When we asked if this was intended we never got a definitive reply.

Phil

--
Philip Chee <[hidden email]>, <[hidden email]>
http://flashblock.mozdev.org/ http://xsidebar.mozdev.org
Guard us from the she-wolf and the wolf, and guard us from the thief,
oh Night, and so be good for us to pass.
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Google API Key

Philip Chee
In reply to this post by Doug Turner-2
On 15/06/2013 06:18, Doug Turner wrote:
>
>>
>> Is there an option to build with Geolocation disabled? I don't see one

There is in about:config |geo.enabled|

>> in configure.in. What happens if I build Geolocation without providing a
>> key?

> Geolocation requests will time out, as expected per spec.

Currently the code uses a hard coded key. There is no way of specifying
your own.

Phil

--
Philip Chee <[hidden email]>, <[hidden email]>
http://flashblock.mozdev.org/ http://xsidebar.mozdev.org
Guard us from the she-wolf and the wolf, and guard us from the thief,
oh Night, and so be good for us to pass.
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Google API Key

Philip Chee
In reply to this post by Doug Turner-2
On 15/06/2013 06:20, Doug Turner wrote:

>
>
> Jonathan Kew wrote:
>> And does it mean each and every developer will need keys for any and all
>> of these services, if they're to test these features in their own builds
>> as they're working on them?
>
> Yes.  Just like chromium.
>
> I should also point out that there are like 3 people that need to worry
> about this at this point. Most of them work for me and are all squared
> away. :)

Plus:

SeaMonkey: Uses Geolocation and Safe Browsing APIs from Google.

Thunderbird: Has code to use Safe Browsing API from Google but this code
is currently disabled.

Phil

--
Philip Chee <[hidden email]>, <[hidden email]>
http://flashblock.mozdev.org/ http://xsidebar.mozdev.org
Guard us from the she-wolf and the wolf, and guard us from the thief,
oh Night, and so be good for us to pass.
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Google API Key

Doug Turner-2


Philip Chee wrote:

> On 15/06/2013 06:20, Doug Turner wrote:
>>
>> Jonathan Kew wrote:
>>> And does it mean each and every developer will need keys for any and all
>>> of these services, if they're to test these features in their own builds
>>> as they're working on them?
>> Yes.  Just like chromium.
>>
>> I should also point out that there are like 3 people that need to worry
>> about this at this point. Most of them work for me and are all squared
>> away. :)
>
> Plus:
>
> SeaMonkey: Uses Geolocation and Safe Browsing APIs from Google.

For Geo - this is unauthorized access as near as I can tell. I think
that we use to use a safe browser API that was 'public'.  In any case,
you should inform the owners of seamonkey to double check their usage.
Is that still Kairo?


> Thunderbird: Has code to use Safe Browsing API from Google but this code
> is currently disabled.

That's good ;)


_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Google API Key

Doug Turner-2
In reply to this post by Philip Chee


Philip Chee wrote:
> Currently the code uses a hard coded key. There is no way of specifying
> your own.


It would be an addon, i suppose.  File a bug?
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Google API Key

Doug Turner-2
In reply to this post by Philip Chee


Philip Chee wrote:
> On 15/06/2013 00:25, Doug Turner wrote:
>> Yes, this will be integrated on the releng side.  Details TBD. I have
>> reached out to John Oduinn last night.
>>
>> Yes, every linux distro will need its own key.  This isn't a change.
>> The existing Geolocation contract required non Mozilla produced builds
>> to have their own API, iirc.  Also, I should be clear about the future
>
> Is SeaMonkey considered a Mozilla produced build?

No.  SeaMonkey is a community project.
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Google API Key

Mike Hommey
In reply to this post by Doug Turner-2
On Sat, Jun 15, 2013 at 12:52:34PM -0700, Doug Turner wrote:

>
>
> Philip Chee wrote:
> >On 15/06/2013 06:20, Doug Turner wrote:
> >>
> >>Jonathan Kew wrote:
> >>>And does it mean each and every developer will need keys for any and all
> >>>of these services, if they're to test these features in their own builds
> >>>as they're working on them?
> >>Yes.  Just like chromium.
> >>
> >>I should also point out that there are like 3 people that need to worry
> >>about this at this point. Most of them work for me and are all squared
> >>away. :)
> >
> >Plus:
> >
> >SeaMonkey: Uses Geolocation and Safe Browsing APIs from Google.
>
> For Geo - this is unauthorized access as near as I can tell. I think
> that we use to use a safe browser API that was 'public'.

Until recently, using the public safe browser shavars required code
changes. Now it's only a pref away, but the default is still to use the
shavar that requires Google's approval, not the public one. Bug 557752
should be put forward, and, in fact, should not be about unbranded vs
branded, but Mozilla vs. not.

I think most third party API usage is in the same vein, requiring code
changes to not use them when you're not authorized to, which, as you
imply, you're not unless you're Mozilla. It's fine-ish that some
features might not be available when you're not authorized, but it's not
fine that the code a) does unauthorized things by default and b) doesn't
allow to do the right thing without modifying the code.

Mike
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Google API Key

Philip Chee
In reply to this post by Doug Turner-2
On 16/06/2013 03:52, Doug Turner wrote:

>
>
> Philip Chee wrote:
>> On 15/06/2013 06:20, Doug Turner wrote:
>>>
>>> Jonathan Kew wrote:
>>>> And does it mean each and every developer will need keys for any and all
>>>> of these services, if they're to test these features in their own builds
>>>> as they're working on them?
>>> Yes.  Just like chromium.
>>>
>>> I should also point out that there are like 3 people that need to worry
>>> about this at this point. Most of them work for me and are all squared
>>> away. :)
>>
>> Plus:
>>
>> SeaMonkey: Uses Geolocation and Safe Browsing APIs from Google.
>
> For Geo - this is unauthorized access as near as I can tell. I think
> that we use to use a safe browser API that was 'public'.  In any case,
> you should inform the owners of seamonkey to double check their usage.
> Is that still Kairo?

To clarify, SeaMonkey uses our own API key for Safe Browsing. We don't
use our own API key for Geolocation because there is no way of
specifying a different key (short of forking a whole bunch of code).

>> Thunderbird: Has code to use Safe Browsing API from Google but this code
>> is currently disabled.
>
> That's good ;)
>
>


--
-==-
Philip Chee <[hidden email]>, <[hidden email]>
http://flashblock.mozdev.org/ http://xsidebar.mozdev.org
Guard us from the she-wolf and the wolf, and guard us from the thief,
oh Night, and so be good for us to pass.
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Google API Key

Doug Turner-2


Philip Chee wrote:
> To clarify, SeaMonkey uses our own API key for Safe Browsing. We don't
> use our own API key for Geolocation because there is no way of
> specifying a different key (short of forking a whole bunch of code).


Good news here though:  We are moving to use native system geolocation
systems.

Also, the new API allows you to just specify a key when you build. :)
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Google API Key

Joe Drew-5
In reply to this post by Doug Turner-2

On 2013-06-15 3:55 PM, Doug Turner wrote:
>> Is SeaMonkey considered a Mozilla produced build?
>
> No.  SeaMonkey is a community project.

Not being flippant here - what's the difference between something
Mozilla produces and something the Mozilla community produces?
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Google API Key

Boris Zbarsky
In reply to this post by Doug Turner-2
On 6/17/13 10:54 AM, Joe Drew wrote:
> Not being flippant here - what's the difference between something
> Mozilla produces and something the Mozilla community produces?

At a guess, the difference is whether something is produced by the
entity that has the contract with Google to use the API key (that
presumably being the Mozilla Corporation) or not....

But I don't know anything about the actual restrictions on our usage of
these API keys; the above is a total guess.

-Boris
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Google API Key

Doug Turner-2


Boris Zbarsky wrote:

> On 6/17/13 10:54 AM, Joe Drew wrote:
>> Not being flippant here - what's the difference between something
>> Mozilla produces and something the Mozilla community produces?
>
> At a guess, the difference is whether something is produced by the
> entity that has the contract with Google to use the API key (that
> presumably being the Mozilla Corporation) or not....
>
> But I don't know anything about the actual restrictions on our usage of
> these API keys; the above is a total guess.
>
> -Boris


For a better answer, I would ask on .governance and cc' the big guns.

Doug
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Google API Key

Gavin Sharp-3
In reply to this post by Joe Drew-5
Seems kind of like a leading question, because there are many
differences between Firefox and SeaMonkey, and it's not clear which
you care about :)

"Mozilla produced build" in this context is just an imprecise way of
saying "the products for which the Mozilla Corporation has reached an
agreement with Google for API keys, on behalf of the Mozilla project",
i.e. Firefox.

Gavin

On Mon, Jun 17, 2013 at 10:54 AM, Joe Drew <[hidden email]> wrote:

>
> On 2013-06-15 3:55 PM, Doug Turner wrote:
>>>
>>> Is SeaMonkey considered a Mozilla produced build?
>>
>>
>> No.  SeaMonkey is a community project.
>
>
> Not being flippant here - what's the difference between something Mozilla
> produces and something the Mozilla community produces?
>
> _______________________________________________
> dev-planning mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-planning
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Google API Key

Philip Chee
In reply to this post by Doug Turner-2
On 16/06/2013 09:04, Mike Hommey wrote:

> On Sat, Jun 15, 2013 at 12:52:34PM -0700, Doug Turner wrote:
>>
>>
>> Philip Chee wrote:
>> >On 15/06/2013 06:20, Doug Turner wrote:
>> >>
>> >>Jonathan Kew wrote:
>> >>>And does it mean each and every developer will need keys for any and all
>> >>>of these services, if they're to test these features in their own builds
>> >>>as they're working on them?
>> >>Yes.  Just like chromium.
>> >>
>> >>I should also point out that there are like 3 people that need to worry
>> >>about this at this point. Most of them work for me and are all squared
>> >>away. :)
>> >
>> >Plus:
>> >
>> >SeaMonkey: Uses Geolocation and Safe Browsing APIs from Google.
>>
>> For Geo - this is unauthorized access as near as I can tell. I think
>> that we use to use a safe browser API that was 'public'.
>
> Until recently, using the public safe browser shavars required code
> changes. Now it's only a pref away, but the default is still to use the
> shavar that requires Google's approval, not the public one. Bug 557752
> should be put forward, and, in fact, should not be about unbranded vs
> branded, but Mozilla vs. not.

I fixed this in Bug 825417 so now each project can specify what shavars
to use:
http://hg.mozilla.org/mozilla-central/rev/740cf756cf33

> I think most third party API usage is in the same vein, requiring code
> changes to not use them when you're not authorized to, which, as you
> imply, you're not unless you're Mozilla. It's fine-ish that some
> features might not be available when you're not authorized, but it's not
> fine that the code a) does unauthorized things by default and b) doesn't
> allow to do the right thing without modifying the code.
>
> Mike

Phil

--
Philip Chee <[hidden email]>, <[hidden email]>
http://flashblock.mozdev.org/ http://xsidebar.mozdev.org
Guard us from the she-wolf and the wolf, and guard us from the thief,
oh Night, and so be good for us to pass.
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Google API Key

Gervase Markham
In reply to this post by Joe Drew-5
On 17/06/13 19:51, Gavin Sharp wrote:
> "Mozilla produced build" in this context is just an imprecise way of
> saying "the products for which the Mozilla Corporation has reached an
> agreement with Google for API keys, on behalf of the Mozilla project",
> i.e. Firefox.

Did we even attempt to get an agreement for all Mozilla software (or all
browser software), or was that not discussed? (If you don't know, who
would?)

One of the goals Mozilla has with source code licensing is that other
people should be able to take our code and build a browser which works
just as well (but without our branding). It would be a shame if that
laudable goal, which has been met for many years, was undermined by
increasing use of web services with Firefox-only contractual arrangements.

Not that I can see an obvious solution to the problem - these services
are important competitively -  but this is a change which should not
pass without comment.

Gerv
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Google API Key

Cameron Kaiser-2
On Monday, June 24, 2013 2:22:17 AM UTC-7, Gervase Markham wrote:
> > "Mozilla produced build" in this context is just an imprecise way of
> > saying "the products for which the Mozilla Corporation has reached an
> > agreement with Google for API keys, on behalf of the Mozilla project",
> > i.e. Firefox.
>  
> Did we even attempt to get an agreement for all Mozilla software (or all
> browser software), or was that not discussed? (If you don't know, who
> would?)

I've been waiting to find out a final determination for TenFourFox. Because it's limited to Power Macs, we can't use CoreLocation (no support in the OS). It's not a high priority feature, so disabling it entirely isn't a dealbreaker, but it would be nice to know if there was another option. I doubt Google would just give us a high-volume API key out of the goodness of their hearts; we still have in the ballpark of 20,000 active users and some small portion of them probably do use geolocation in some manner.

Cameron Kaiser
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: Google API Key

Philip Chee
In reply to this post by Gervase Markham
On 24/06/2013 17:22, Gervase Markham wrote:

> On 17/06/13 19:51, Gavin Sharp wrote:
>> "Mozilla produced build" in this context is just an imprecise way of
>> saying "the products for which the Mozilla Corporation has reached an
>> agreement with Google for API keys, on behalf of the Mozilla project",
>> i.e. Firefox.
>
> Did we even attempt to get an agreement for all Mozilla software (or all
> browser software), or was that not discussed? (If you don't know, who
> would?)
>
> One of the goals Mozilla has with source code licensing is that other
> people should be able to take our code and build a browser which works
> just as well (but without our branding). It would be a shame if that
> laudable goal, which has been met for many years, was undermined by
> increasing use of web services with Firefox-only contractual arrangements.

IIRC that GPLv3 has clauses which address TIVOization. Did this issue
crop up during the MPLv2 discussion?

> Not that I can see an obvious solution to the problem - these services
> are important competitively -  but this is a change which should not
> pass without comment.
>
> Gerv

Re: Geolocation:
Did Doug forget to fix B2G? It looks like it's still using the old uri.
Compare:
http://mxr.mozilla.org/mozilla-central/source/b2g/app/b2g.js#166
with
http://mxr.mozilla.org/mozilla-central/source/browser/app/profile/firefox.js#1287
q.v. Bug 882485.

Also how does FirefoxOS fit into this? Do all those phone makers have to
get their own keys from Google?

How about all those developers who have bought the Keon/Peak phones?

Phil

--
Philip Chee <[hidden email]>, <[hidden email]>
http://flashblock.mozdev.org/ http://xsidebar.mozdev.org
Guard us from the she-wolf and the wolf, and guard us from the thief,
oh Night, and so be good for us to pass.
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
12