Discussed briefly on irc.

One way to make this call secure would be to make the AddLicenseKey call:
AddLicenseKey(packagename, token, server)

aptdaemon could then contact the (trusted) server, authenticate with the
provided token and retrieve the license key itself.

It would need to receive the OAuth token as an argument because it
doesn't have access to the session bus to request the token itself.

The server argument would need to be restricted to "production" or
"staging", so that you can't ask aptdaemon to contact just any server.

It might be best to package the sca client library separately for
aptdaemon to use.

Optionally, aptdaemon could read an environment variable to check which
server it should contact, and make the call receive only
packagename+token.

It could even reuse SOFTWARE_CENTER_BUY_HOST, the same env var software-
center uses, with the same restrictions: it should only be allowed to
refer to the trusted staging or production server.

Alternatively to the packagename, the call could receive a subscription
(numeric) id, and fetching that from the sca api will provide the
package name together with the license key.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/833945

Title:
  Allow to install system wide license keys

To manage notifications about this bug go to:
https://bugs.launchpad.net/software-center-agent/+bug/833945/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to