Hi Ken,
It does seem unfortunate that the official rules don't permit OSS
projects
https://developers.google.com/terms#b_confidential_matters says
b. Confidential Matters
Developer credentials (such as passwords, keys, and client IDs)
are intended to be used by you and identify your API Client. You
will keep your credentials confidential and make reasonable
efforts to prevent and discourage other API Clients from using
your credentials. Developer credentials may not be embedded in
open source projects.
Take the closed-source API client. How does it ‘make reasonable efforts
to prevent and discourage other API Clients from using your
credentials’? It's not shipping source, but does embedding it somewhere
inside an ELF executable count as reasonable? I disassemble machine
code a lot, so perhaps it's only reasonable if they make some effort to
disguise it?
How is that different to an open-source project shipping the API key as
two parts: an encryption key and the encrypted API key? It seems
reasonable to me. It's probably not too hard to make it as awkward to
get the plain-text key as it is to disassemble.
Or, we ship a proprietary closed-source blob, or download it if it's not
present, and lo, we've set the bar as high as those closed-source
shippers.
IANAL. The answers I got from a FSF lawyer about the implications of
signing their copyright assignment many years ago suggest to me that
those who have signed it probably don't interpret it as a lawyer does.
:-)
--
Cheers, Ralph.