[openstreetmap/openstreetmap-website] Add allow_read_email oauth permission (#1431)
Ilya Zverev
notifications at github.com
Mon Mar 20 11:53:25 UTC 2017
> ...would it be possible to limit that permission to certain applications that we have somehow specially authorized?
I still don't see why. A malicious app aimed at collecting emails can simply ask a user to enter their email address. As you've written, "grown-ups fall prey to exploits all the time", and there is no need to make an exploit such elaborate just to get an email address. People share their addresses on the web now right and left, and those who don't, by this time should have learnt to read things they agree to.
To me, "all or nothing" is the only way to go. We don't vet software to edit the map or post notes. We have made a dump of all GPX traces in the past, which users ten years ago didn't think would be made. They could find very private traces in that dump, and no way to remove them from the public. Signing the wrong document can lead to worse outcomes than leaking an email address.
> this has got a bit lost in the discussion, that providing an API to our messaging system is a clear alternative to handing out e-mail addresses
We are discussing existing open pull requests. Providing an API for messaging is obviously an alternative. Not doing anything is also a clear alternative. Can we do both? Because from my point of view, an API for messaging is much more hassle, with potential spamming and rate-limits and possible vetting and so on. It is much more complex issue than this one.
> app/service operators that know what a burden keeping personal information safe is and would rather not have to store the addresses themselves, and those that don't know that yet
Is this about email addresses still? Because I have heard about only one service that does not store addresses for profiles, and I wrote it myself. I assume there is virtually none services that having access to a user's email addresses, do not store it in a profile. It is not a phone, not a physical address, not a facebook account. Email address is an absolute minimim required for using many services, and because of that it is hardly considered a secret to protect at all costs, including the cost of worsening the user experience.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/1431#issuecomment-287738746
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20170320/5b8f1a54/attachment.html>
More information about the rails-dev
mailing list