My plan was to use macaroons (in this case mainly because that's a
conveniently-packaged version of HMAC, but it would fit well with other
future plans for HTTPS pushes), effectively generating a root key for
each job. But it would probably make more sense to have a single root
key configured using the slightly-awkward secret-management arrangements
in production-configs instead, and then attach the CodeImportJob.id as a
caveat in each case. I'll put together enough code to convince myself
that this will work and delete this column if so.
My plan was to use macaroons (in this case mainly because that's a packaged version of HMAC, but it would fit well with other
conveniently-
future plans for HTTPS pushes), effectively generating a root key for
each job. But it would probably make more sense to have a single root
key configured using the slightly-awkward secret-management arrangements
in production-configs instead, and then attach the CodeImportJob.id as a
caveat in each case. I'll put together enough code to convince myself
that this will work and delete this column if so.