> But hey, I didn’t code a Webserver so far - so what do I know
If you limit the scope, its worth doing and might not take as much effort as you might think. You could possibly find some enjoyment and learn a few things doing so.
In college I had a networks class where the capstone project was writing a basic HTTP server in C. It's actually shockingly easy, especially if you're only supporting get, and fetch.
Mine was something like 70 lines, and would just listen on 8080 and fork when it got a connection before checking for the requested file and sending it or a 404. I was immediately tempted to try adding something like CGI support but didn't have the time that semester.
> I'd question the added value of manual PR reviews at this point.
Yeah, why not reduce the team size to zero while you are at it?
These generalizations about software engineering have never been useful, IMO. Context is everything, there is no flow chart for building a perfect software process.
Although, I'd say you are absolutely delusional if you think we are universally beyond the point where manual review of pull requests is required.
If one ignores 70% of the documentation, it makes for a demonizing blog post about it, sure.
"
API keys for Firebase services are not secret
API keys for Firebase services only identify your Firebase project and app to those services. Authorization is handled through Google Cloud IAM permissions, Firebase Security Rules, and Firebase App Check.
All Firebase-provisioned API keys are automatically restricted to Firebase-related APIs. If your app's setup follows the guidelines in this page, then API keys restricted to Firebase services do not need to be treated as secrets, and it's safe to include them in your code or configuration files.
Set up API key restrictions
If you use API keys for other Google services, make sure that you apply API key restrictions to scope your API keys to your app clients and the APIs you use.
Use your Firebase-provisioned API keys only for Firebase-related APIs. If your app uses any other APIs (for example, the Places API for Maps or the Gemini Developer API), use a separate API key and restrict it to the applicable API."
The only reasonable design is to have two kinds of API keys that cannot be used interchangeably: public API keys, that cannot be configured to use private APIs, and private API keys, that cannot be configured to use public APIs. There's no one who must use a single API key for both purposes, and almost all cases in which someone does configure an API key like that will be a mistake. It would be even better if the API keys started with a different prefix or had some other easy way to distinguish between the two types so that I can stop getting warnings about my Firebase keys being "public".
It'd be much better to call them something like "API usernames" or "API Client IDs". Though I also dislike the naming of "public keys" in asymmetric cryptography, for the same reasons, and I'm definitely not winning that fight!
Back then, they did not automatically restrict those keys to only Firebase-related APIs.
So yes, if you read the documentation as it exists today it's much more clear what they're trying to prevent, but this is only after this issue has become more apparent.
> Back then, they did not automatically restrict those keys to only Firebase-related APIs.
If that is the case, why is this also in the 2022 link?
The part about scoping links to the restrictions documentation.
"Understand API keys
API keys for Firebase services are not secret
Firebase uses API keys only to identify your app's Firebase project to Firebase services, and not to control access to database or Cloud Storage data, which is done using Firebase Security Rules. For this reason, you do not need to treat API keys for Firebase services as secrets, and you can safely embed them in client code. Learn more about API keys for Firebase.
Set up API key scoping
As an additional deterrent against an attacker attempting to use your API key to spoof requests, you can create API keys scoped to your app clients.
Keep FCM server keys secret
Unlike API keys for Firebase services, FCM server keys (used by the legacy FCM HTTP API) are sensitive and must be kept secret.
Keep service account keys secret
Also unlike API keys for Firebase services, service account private keys (used by the Admin SDK) are sensitive and must be kept secret.
"
that doesn't seem to be the case always, given the data on crime reporting:
"Patterns in police reporting for property crime during 2020–2023 were similar to those for violent crime. A quarter (25%) of all property victimizations in urban areas were reported to police, which was lower than the percentages in suburban (33%) and rural (36%) areas (figure 2).
Similar to overall property victimization, a lower percentage of other theft victimizations were reported to police in urban areas (20%) compared to suburban (28%) and rural (31%) areas."
"For violent crimes, in 1997, 7% of victims
stated that “Police wouldn’t help” as the reason they did not call the police. This more than
doubled to 16% by 2021. For property crimes, the corresponding rates were 12% in 1997 and 18% in
2021"
Look at the silver lining - once the paperclip maximizers have crashed both modern civilization and the biosphere, it will be easy for any survivors to find privacy amid the metaphorical and actual ruins.
Although I'm wrong about it being closely enough related to the Model Y's platform to really say "it's a Model Y," many of those stainless steel panels are absolutely secured with fasteners and glue.
If you limit the scope, its worth doing and might not take as much effort as you might think. You could possibly find some enjoyment and learn a few things doing so.
reply