Consider loosening the liboauth dependency
liboauth is weakly-maintained — no Git activity for the last 3 years and the last release was 4 years ago, and is only used in the OAuth 1 code paths. GNOME Online Accounts stopped advertising OAuth 1 support for Google accounts a long time ago because all the GOA-supported services got migrated to OAuth 2. So, for all practical purposes, the OAuth 1 paths in
GDataGoaAuthorizer are either unused or can't be used to talk to the server. That leaves
GDataOAuth1Authorizer. I don't know if there are services supported by
libgdata that still work with OAuth 1. Are there any?
It turns out that the OpenSSL-based code paths in
liboauth don't compile with OpenSSL >= 1.1.0. It might be that most builds are either using an older OpenSSL or NSS, because I hadn't come across a build failure so far.
Regardless, I'd like to avoid carrying an unused and weakly-maintained library in the Flatpak manifests for
So it would be nice if we can figure out a way to cut the dependency.
A quick look indicates that
oauth_gen_nonce is the only
liboauth API that we use.
I see the following options:
- Completely replace
oauth_gen_noncewith something else — could be a copy-pasted version of it that uses only GLib and no cryptographic library, and drop the
- Completely drop the OAuth 1 support from
GDataGoaAuthorizerand add a build option for
GDataOAuth1Authorizerthat pulls in
- Add a build option for
liboauthand conditionally enable the OAuth 1 code paths in both authorizers.