On Mon, Aug 31, 2020 at 3:46 PM Ken Hornstein <kenh@pobox.com> wrote:
AIUI, Google was planning on discontinuing LSA access late this year for
gmail accounts (hosted GSuite accounts had a different timeline but the
same goal). Instead, apps can apply for an app-specific "secret", but on
terms that specifically disallow open-source code from shipping the
secret.
Well ... we've been dealing with this as well. Our reading of the terms
is that the issue isn't with open source software at all, but more about
how you prove that you're "you" (we shipped a secret that worked until
very recently). I don't see anything that really disallows OSS, though!
Here's the part that came across emacs-devel:
Google's terms of service for OAuth services are available at
https://developers.google.com/terms . Only a lawyer can tell you in brief
terms what the concrete requirements are.
...
- Paragraph 4.b.1, which states that "You will keep your credentials
confidential and make reasonable efforts to prevent and discourage other
API Clients from using your credentials. Developer credentials may not be
embedded in open source projects." prohibits the use of OAuth credentials
in free software projects. As I wrote above (and earlier), Google
tolerates (at the moment) that this specific point of their TOS is
violated. But that doesn't mean that violating them is without legal
risk.
Hope that helps!
~Chad