Twitter vs. Open Source Clients

Apparently you can no longer legitimately use Twitter with open source clients, Ars has a lot of details around the implications of the way Twitter just rolled out OAuth.

Twitter’s OAuth implementation and open source clients

Requiring third-party developers to embed a consumer secret key in the source code of their Twitter client applications potentially puts free and open source (FOSS) client software at greater risk of key exposure than closed-source client software. The key would be visible as plain text in the source code, where anybody could find it and use it for their own purposes. Indeed, one can already easily find dozens of OAuth consumer secret keys by using Google’s code search engine.

Twitter felt that allowing FOSS Twitter clients to use OAuth posed an unacceptable risk. The company warned that it would invalidate any OAuth keys that it found published in the source code of FOSS client applications. This was deeply troubling to the developers who maintain such software, including me. I am the developer behind Gwibber, a GPL-licensed microblogging client that is used in Ubuntu and other Linux distributions.

This is a damn shame.  I just fixed up my little script that talks to twitter, and I’ll be publishing keys out to github later this week because it’s asinine that they would build an interface which makes it overly burdensome to use open source clients.  OAuth has some neat ideas in it, but making it fundamentally Free and Open Source hostile seems like a bad direction to go.

2 thoughts on “Twitter vs. Open Source Clients”

  1. I’ve been thinking about this for several months now, and I can’t seem to find a way that OAuth can be implemented using a application key installed with installable software of any kind. I’m not a crypto / security person, so maybe there is another way?

    One thing is for sure, Twitter’s outright disapproval of FOSS is disappointing.


    1. The crux is that application keys shouldn’t be trusted from clients. If a client/account goes whacky, blame and limit the account, not the client, because the action is stoppable by the user. In the web case, it’s different.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s