I'm thinking about adding Ohloh-integration to one well-known OSS-project.
After reading documentation, it's still not clear for me - if I receive API key, can I publish it? Its obvious, that after publishing of API key I cannnot guarantee that someone won't use it in its own application.
Yes, it's true, as the design currently stands, if you publish your API key then anyone can use it. Using only the API key, another user can only get read-only access to public Ohloh data.
In order to access private account data or to write data to Ohloh, you must use OAuth, which requires both a (public) API key and a private OAuth secret. You should never share your OAuth secret. This will prevent other users from using your API key to access private data or write changes to Ohloh.
I think that the question were more about the 1000 requests per day limit and the access to public read-only XML without the use of the Api key (which, I think, is unfortunately impossible). Because, in a case of one of us were (Peter and I are...) developing open source or just public use free-software with a key in it, we have to resolve two problems in the app' conception:
We are happy to lift the API key limit if required, and have done so in the past. We do encourage people to use caching when possible, but if you develop a popular application we're more than happy to help out. Part of the reason for the limit is so that people will contact us first before "surprising" us with millions of hits.
It's true that you can't put your application's secret into the source code if you are distributing it. OAuth wasn't really intended for distributed code -- it was designed for use with web services, which allows secret data to exist where it is inaccessible to the end user.
So if you're distributing your code, your secret won't stay secret, and you shouldn't use OAuth. If your users are savvy and patient, it's probably OK to go ahead and instruct users to get an API key from Ohloh and configure the application to use their own key and secret.
It's also possible to simply log a user in, if they are willing to give you their username and password. We haven't formalized this in the documentation, but it is possible to post the login form and get a session cookie. Let me know if you need some specific help here; we haven't discussed this much internally, and we might have some things to sort out first.
Copyright © 2013 Black Duck Software, Inc. and its contributors, Some Rights Reserved. Unless otherwise marked, this work is licensed under a Creative Commons Attribution 3.0 Unported License . Ohloh ® and the Ohloh logo are trademarks of Black Duck Software, Inc. in the United States and/or other jurisdictions. All other trademarks are the property of their respective holders.