Ubuntu
evolution-data-server package

Consider changing Google API key

Bug #1650007 reported by Jeremy Bícha
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
evolution-data-server (Ubuntu)
Incomplete
Undecided
Unassigned

Bug Description

evolution-data-server (e-d-s) 3.20 before 3.20.6 and 3.22 before 3.22.2 had bugs that caused users using Google services to experience daily limit timeouts and authentication errors. Unfortunately, users using older versions are causing those problems for everyone that still uses the affected API key. Therefore GNOME is updating the API key used by GNOME Online Accounts. For more info, see LP: #1649995 and https://bugzilla.gnome.org/774202

- I don't know yet if e-d-s before 3.20 is also affected. I asked but you're welcome to ask the Evolution devs yourself. https://bugzilla.gnome.org/show_bug.cgi?id=771547#c61

- Upstream evolution has two ways to configure a Google account: GNOME Online Accounts and e-d-s. I assume Ubuntu Online Accounts is a 3rd way. (I think e-d-s will need to switch to a new Google API key too but that hasn't happened yet.)

- For Ubuntu 16.10, we need the latest evolution-data-server SRU (LP: #1639926) to be pushed to yakkety-updates and fully 100% phased before publishing the new key.

- Therefore, assuming Ubuntu Online Accounts is affected, I suggest you consider changing the Google API key used in Ubuntu 16.10 and above. Once we figure out if e-d-s needs to be updated for 16.04 (and possibly earlier releases), I believe we'll need to update the key there too.

- On the other hand, since we control Ubuntu updates (unlike GNOME which has not control over who uses what version of their stuff) maybe we don't need to change the key after all. Maybe we just need to push the e-d-s SRUs as security updates to ensure people use the fixed versions?

See original description
Jeremy Bícha (jbicha)
description: updated
Jeremy Bícha (jbicha)
affects: ubuntu-system-settings-online-accounts (Ubuntu) → account-plugins (Ubuntu)
Revision history for this message
Jeremy Bícha (jbicha) wrote :

Ok, a bit more info, copying from https://bugzilla.gnome.org/show_bug.cgi?id=771547#c62

--
The internal Google OAuth2 authentication had been introduced in eds 3.20.0 (thus it's pretty new), for which I released eds 3.20.6 with all the yet-known fixes recently, in a hope that distros which still use 3.20.x will update and thus will help all users. I'm not going to change the Google API keys in eds, because the statistics which the Google server provides indicate that the usage is pretty fine with the internal eds Google API keys. Just compare, the numbers from the Tuesday this week:

- for the GOA, the past 24 hours:
  CalDAV API - 104 millions of requests, 99 millions errors (95.34%)
  Tasks API - 65 millions of requests, 65 millions errors (99.93%)

- for the eds, the past 24 hours:
  CalDAV API - 399 thousands of requests, 5 thousands errors (1.37%)
  CardDAV API - 59 thousands of requests, 12 errors (0.02%)
  Contacts API - 30 thousands of requests, 31 errors (0.1%)
  Tasks API - 9 thousands of requests, 0 errors (0%)

Revision history for this message
Alberto Mardegan (mardy) wrote :

The OAuth keys for Google are defined in EDS itself (src/modules/ubuntu-online-accounts/google-*.service.in.in). They were registered by me, but I gave access to them to the EDS developers themselves (though I suspect that it was still at the time when Matthew Barnes was the lead developer - I'm not sure Milan has access).

Anyway, I just checked the stats and I've verified that we are well below the maximum quota, with no errors reported, for the last 30 days. So I believe that we are fine there, and that we don't need to act on this.

I'll leave this bug in incomplete state; if new data emerges that convinces us that we indeed have a problem, we'll address it.

affects: account-plugins (Ubuntu) → evolution-data-server (Ubuntu)
Changed in evolution-data-server (Ubuntu):
status: New → Incomplete
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.