hn_throwaway_99
10 months ago
I only read the first part of the article, but having dealt with Drive API scopes and their issues previously, I feel there is just a major misunderstanding here.
The "fully open" Drive API read/write scopes should be highly restricted by default (because they essentially give you access to a user's entire drive), and these are the ones that Google added much more stringent security requirements a couple years ago, e.g. requiring a security audit.
However, there is also a much less sensitive Drive API scope, 'drive.file', which is non-sensitive. It lets an app read and write only files the app owns (or read files a user picks through the file picker control).
Thus, I don't understand why the ia.net app would require more than the drive.file scope. I have no doubt that Google's messaging wasn't clear on the transition process when they first created drive.file scope (and I personally wasted a ton of time with bugs in Google's own file picker when using that scope), but it is a much better solution.
mgraczyk
10 months ago
This is exactly right.
I just finished the process to get drive.readonly for my app. It was a huge pain in the ass, and Google was not very helpful. Google recommends you pay $720 for a CASA lab assessment, which consists of some random dude in an apartment in SF running an open source script against a .zip of your codebase, then that guy emails Google saying you "passed".
However, the goal is noble, to prevent malware and scam apps from accessing people's drives. It doesn't sound like the app from the article needs these more restricted scopes.
Gigachad
10 months ago
Being a huge pain in the ass probably does filter out a lot of trivial malware that doesn’t have the resources to jump though these hoops, especially when it might only last a week or so before they get shut down and have to start again.
xethos
10 months ago
If you've covered the personal frustration angle, I'll point to how it also changes the financial odds of turning a profit with malware. ~$700 USD for a week (before getting discovered) means you better turn a profit fast - and if you can't, there's not much point getting that full storage scope
sidewndr46
10 months ago
If that's the case then a $700 bond would be sufficient
Gigachad
10 months ago
Who is paying the security auditor then?
sidewndr46
10 months ago
That's the point, the security auditor is providing any service other than being a barrier.
therein
10 months ago
Do you think this may allow us to reintegrate the security auditor back into the productive workforce after a brief period of adjustment?
throwaway314155
10 months ago
> I only read the first part of the article
Don't you think it makes sense to read the whole article before dismissing it so completely?
This forum should really have a rule to discourage shallow dismissals to somewhat counteract the negative effects of the whole "don't talk about RTFA" rule.
mvdtnz
10 months ago
Not only does this forum have no such rule, you are in fact in violation of the website's guidelines for pointing out that this chap didn't read the article. Which is bananas.
throwaway314155
10 months ago
Yeah it's maddening.
hn_throwaway_99
10 months ago
I didn't "dismiss it so completely".
It was clear to me from the first half I read that the author completely misunderstood and was unaware of the Drive API scope changes that Google made. There is nothing I wrote that would have been contradicted by the rest of the blog post.
reichenstein
10 months ago
The definition of a well informed, happy, modern man: He reads a couple of lines and goes, "Yep, I know how this article ends. I'm right, he's wrong." Then he watches the first half of a game, switches off the TV, pumps his fist, and says, "My team WINS again." Writes the match report, gets in the shower, soaps himself up, and walks out, unrinsed, fully lathered, super clean.
bloppe
10 months ago
This is funny but he actually was right
hn_throwaway_99
10 months ago
Happy to have you point anywhere my assumptions are wrong vs. your random bullshit of a creating writing exercise.
reichenstein
10 months ago
Drive.file scope is not some secret sauce, it's the standard file picker loaded with UX trouble and bugs. Implementing it would lead to a flood of angry Play Store comments.
We know because we talk to our users for 14 years. We know their needs and their use cases. And we have the numbers to verify. We built this. You're an anonymous guy with a throwaway account on the Internet playing the expert. Your comment history shows that you have a lot of time to show that you're an expert on a wide range of topics.
You say that "we" shouldn't get access to Google Drive. It's not about us, our users demand Google Drive access. They want to decide what to do with their files. We couldn't care less about what is in their drive.
But what if we're hackers or if we get hacked? Yeah, that all or nothing access is not the best engineering from Google, is it?
CASA is trying to tape over that bricolage with the usual security theatre. Because guess what... after paying KPMG for a superficial scan, "we" still would get access to the Full Dive. Until recently we could have done the CASA scan in house and get full access. That's what's bullshit.
It's bullshit like almost all of Google. Bullshit Search that only gives you ads. Bullshit Maps that has become an unusable circus. Bullshit YouTube that is now just as ad infested than 80ties TV. Bullshit "log in for security reasons".
user
10 months ago
croes
10 months ago
Perhaps Google should have pointed this out in its review instead of just recommending read-only access.
reichenstein
10 months ago
Well, it's not like we don't know about the default file picker. If we'd switch our customers to that clunky, buggy piece of brittle UX bricolage, they start throwing stones. And you know what: They'd be right. They usually are right. They just don't know or care what it costs to build that they don't want to pay for. And understandably, since everything else in Google world comes completely free of charge.
Some experts here seem to think that “It’s great that Google takes security seriously. I don’t want just any app getting access to my Drive.” Guys...
You think this is air you're breathing? CASA isn’t real security. It’s a very badly played security theater. There are plenty of holes, MI CASA SU CASA, that real hackers can use to steal your selfies and credit card info. You still think we’re not informed enough? We never wanted access to Google Drive. We don’t care about your Google Drive or anyone’s Drive at all.
We don’t have, want, or ever asked for access to your files. And don’t start with, “But you could be hackers!” We’re not. Google has our entire history—7 years with them, 14 years building apps, and 20 years as a company. They have our code, user feedback, passports, phone numbers, bank info, and confidential documents. But they still pass the security theatre burden onto us, making us pay KPMG for audits. Not because it makes things safer. It's so they can lean back, do nothing, and then lift both hands and then point fingers in case things go wrong. That scales nicely.
You know what is a much better way to care about safety? A human mind that knows, checks and cares. Oh, that doesn't scale? Okay, so let's increase bureaucracy. Yeah, bureaucracy will make things safer. Safety by bureaucracy was always the best great hacker barrier. Or is it the opposite? Bureaucracy makes you calculable. If I were a hacker, I'd welcome bureaucracy.
anal_reactor
10 months ago
Because of security reasons, my web browser cannot write to "Downloads", but "Downloads/a" works.
Because of security reasons, my file manager cannot access "Android/obb" and I need to use a trick with the "Files" app.
In order to improve user experience, the option to directly mount the SD card via USB has been removed. Now I need to physically remove it from the phone because the Android's default way of handling things simply doesn't work when you have more than a handful of files.
BTW SD cards suck on Android, but when you connect them to the cheapest Chinese USB reader and to your PC, then they're magically 10x faster.
It's clear to me that Google pushes business decisions under the disguise of "improvements". I think that removing the audio jack was the symbol of Google moving away from creating a good OS to monetizing their OS. I really wish there was a viable alternative to Android that I could install on any phone.
reichenstein
10 months ago
> "Google pushes business decisions under the disguise of 'improvements'"
...while systematically sabotaging design improvements under the disguise of "strategy". Ask people on the Android design team.
talldayo
10 months ago
> If we'd switch our customers to that clunky, buggy piece of brittle UX bricolage, they start throwing stones.
I mean like... have you tried asking them?
I use the Obsidian app on Android with the default file picker is fine for my usage. I barely even notice it, and as a Syncthing user it ensures I get a native and compatible experience.
This arguing over "safety" when Google's stance is entirely logical does not give me a good feeling about your product. Your job, as a developer that relies on Google and Apple to ship your app, is to jump through their hoops. Grandstanding your userbase doesn't sell new licenses, it makes people question relying on you at any point in the future - it hurts iA's brand more than it hurts Google. As an Obsidian user this basically confirms my suspicion that most SAAS-based Markdown editors are totally overengineered and (apparently) not a reliable choice if you only use the Play Store.
It's your call. Putting up with Apple and Google's bullshit sucks, but it's also literally your job as a provider of support to those platforms. If Google's behavior is enough to make you react like this, I half expect the Windows, iOS and MacOS builds will join Han Solo by the end of the year.
MrDresden
10 months ago
I'm going to hazard a guess that you haven't been involved in many direct interactions with the Google review process.
They are rarely if ever precise or very factual.
threeseed
10 months ago
Doesn't that mean that the app wouldn't be able to edit a document created elsewhere.
Including documents created by their own web or desktop client.
And it's odd that Google thinks that writing to files is significantly worse than reading. What benefit does a hacker have to update your private photos or bank details versus reading them.
thatguy0900
10 months ago
The user can use a file picker to select individual files as well.
fsckboy
10 months ago
>The user can use a file picker to select individual files as well.
the top comment on this thread says:
It lets an app read and write only files the app owns (or read files a user picks through the file picker control).
which would not include writing picker files. Are you saying picker files could be written?
tadfisher
10 months ago
You do not need to request any sort of OS permission or Drive API access to read or write Drive files that are selected using the system document picker. You do need to specify that you want a writable file when you open the picker. The system will grant your app write permission for that file URI only.
threeseed
10 months ago
So then the app can't have Recent Files functionality.
Or open the last file the user was editing as it may have been edited elsewhere.
Seems pretty unworkable for a text editor.
NavinF
10 months ago
Only if you absolutely insist on creating your own special snowflake file picker UI instead of using the OS file picker
IanCal
10 months ago
I don't think that's true, doesn't the file picker have recent files in it?
> Or open the last file the user was editing as it may have been edited elsewhere.
When is this a particular use case? Auto open a file I opened elsewhere?
Gigachad
10 months ago
The iOS file picker does have a recent files tab and it seems to be the first one that opens.
crazygringo
10 months ago
Those seem pretty minor, and are you sure Google doesn't allow a way for permission on the file to persist?
Even if it doesn't, you can access recent files from the Drive file picker.
cyberax
10 months ago
> So then the app can't have Recent Files functionality.
Yeah, this is an issue. Google really needs to fix this. And there are multiple ways to do that! They can remember that a file was opened by the app earlier, and let it access again for a reasonable period.
They can also allow delegating access on a directory level instead of a binary all-or-nothing approach.
rerdavies
10 months ago
Android DOES remember permissions for folders that you have opened previously through the picker (although the app does have to code for that); and you can reuse the URLs for files that you have received through the picker, as long as the permissions are still intact. (You can lose them if the app is used infrequently).
Life would be so much easier if the Android File Picker UI weren't so incredibly awful. Has to be the worst piece of UI design I have ever seen. Incredibly difficult to use even if you know exactly what you want.
SSLy
10 months ago
it's a text editor. Users expect to edit files in any random directory they'll make on drive, not in the containment scope that doesn't work with users' writing habits.
0cf8612b2e1e
10 months ago
From the description, the app launches an OS controlled file picker. Once the human picks a file, the app is given a file handle with read/write permissions. Any file is fair game to be used within the app, but the application does not get to know anything about the file system.
layer8
10 months ago
This sounds like the user has to navigate to the file from the app’s file picker each time they want to open the file, instead of being able to open the file from the Files app. This would also mean that the app can’t maintain a “recent files” list (or bookmarks) for the user to be able to quickly reopen a previously opened file, because that wouldn’t be going through the file picker.
tadfisher
10 months ago
That is not true; you can hang on to the content URI and metadata to present a Recent Files UI. You need to ask for a persisted write permission for the content URI. You can even use the ContentResolver to check the file's existence and update the metadata (including thumbnail).
iggldiggl
10 months ago
Although AFAIK Android's implementation then means that you can end up with duplicate entries for the same file if you open it through differing means (like both through an external file manager as well as within the app's own UI), because those result in distinct content URIs and there are no official APIs that would allow you to confirm whether two separate content URIs are actually pointing to the same file (where that'd make sense, e.g. for files on the local file system at least [1]).
[1] I think there are some hacks to work around that issue, but obviously they aren't guaranteed to work all of the time.
hn_throwaway_99
10 months ago
I wouldn't want any text editor app to have full rights to my Google Drive. I literally recently implemented a similar feature (not for a text editor but for an app that needed to pull files from many different sources), and it's not that hard, i.e. giving easy access to local files and then using the picker control for "Drive imports".
The problem here is the original app developer had full, willy-nilly Drive access, and when Google rightfully locked down this level of access (and, mind you, didn't prohibit - I've gone through the Drive restricted scope verification process and it's not as hard as this blog post is making it out to be), the developer didn't take the time to see what was necessary to comply.
Again, I have no doubt Google could have given better instructions on how to migrate to the drive.file scope or how to use the restricted scopes. But Google has been warning about this for many years now, so seems like this dev just scrambled at the last minute.
stickfigure
10 months ago
> I wouldn't want any text editor app to have full rights to my Google Drive.
What text editor do you use on your laptop/desktop/pc?
Gigachad
10 months ago
On MacOS, apps like VSCode have to ask permission to read directories if they weren't opened via the OS file picker. So my text editor can not read my Google Drive folder unless I explicitly allow it to.
stickfigure
10 months ago
I don't know about VSCode, but IntelliJ and Sublime have access to files all over the filesystem (on MacOS). Maybe they once asked me for permissions "to all files" a zillion years ago - I don't remember - but isn't that exactly what the app developer in the article is asking for?
hn_throwaway_99
10 months ago
Primarily vim or VSCode, why?
klabb3
10 months ago
Parent means that your desktop OS is not sandboxed and your editor has permissions to read any file you have access to, including mounted Cloud Drives, as well as showing a custom file explorer (which both Vim and VSCode do, btw) and does not require special scoping on a file-by-file basis to happen in some OS controlled, confusing back-and-forth dance.
The security model on mobile, despite being gate kept and sandboxed to an extreme, still has massive giant glaring problems with malware, phishing and tracking (although that’s more of a feature). To double down on this strategy, by whitelisting, reviewing, authorizing, auditing, and blessing entitlements in holy corporate water – shows an amusing incongruence in contrast with say Linux which by almost every metric is more secure despite none of that, and to a lesser extent, macOS and Windows.
Gigachad
10 months ago
Linux desktop is not secure at all. Basically anything you install can do anything without limitations. In a few minutes I could whip up a VSCode plugin that sends me your browser session storage and have access to all of your everything.
It's getting a lot better with Flatpak, Wayland, and PipeWire, but the pieces are still being put in place for an actually secure Linux desktop that comes anywhere close to the security of MacOS and iOS.
klabb3
10 months ago
> In a few minutes I could whip up a VSCode plugin that sends me your browser session storage and have access to all of your everything.
Yeah I know but I’m saying despite that Linux is more secure in practice. Most software is not distributed as some random VS code extension, but as FOSS projects and all the checks and balances of the distro maintainers. That’s who keeps you safe at night, and it works remarkably well.
Capability permission in all glory but it’s not a panacea. What happens in practice is that an app asks for permission to your bank account and eternal soul, and then users say “well, I guess I need to if I want this Instagram filter” and there you go. So it’s not as easy as retrofitting sandboxing onto the OS. Neither am I claiming it’s easy to solve. What I am saying is the App Store model is largely security theatre.
Shawnecy
10 months ago
> Linux desktop is not secure at all. Basically anything you install can do anything without limitations.
This is ridiculously false.
Gigachad
10 months ago
Every traditional package manager I’ve seen installs programs as root and they can do basically everything including adding services to systemd as root, modifying configs in /etc for example.
It’s only the newer stuff like flatpak that bring in some sanity to the installation process.
consteval
10 months ago
While this is true, in practice it's more secure than you'd see on most operating systems.
The reason being that the software is typically from a centralized, trusted repo that has been vetted by maintainers. The software is typically OS and it's not the app developer who releases it to you, the customer. It's the maintainer who packages it and will even apply custom fixes to it.
Yes, there's some trust here. But historically, there's very little examples of rogue Debian maintainers doing something naughty. Whereas on, say, the Play Store, the app dev distributes the App to you and the Play Store just does some preliminary black-box checks. They're not getting the code and packaging it like a debian maintainer would.
Some distros, like Debian, even FORCE app devs to use the system provided libs - they can't statically link their own library code. So they're pinned to a particular version of openSSL, libc, wlroots, libpng, etc. This prevents a huge variety of supply chain attacks. You can't bundle a compromised version of any one of the libs.
And lastly, in stable distros the software typically goes through many routes before landing on a customer device. For debian, you're looking at months of real-world usage in testing and unstable before you see the software. This finds out vulnerabilities - this is why, for example, debian stable never had to deal with the XZ vuln. This isn't true for direct-to-customer app stores.
ajross
10 months ago
To be blunt: how do you know it's not an exfiltration app that will suck down your entire Drive and upload it to their sponsor's ML training engine?
Text editors are great, but hand-installed editors[1] running on the local filesystem of a developer-maintained personal device are a very different threat model than an app available to everyone in the Play Store.
[1] And even then they tend strongly to be boosted by a large community of (usually) open source developers attesting to it, usually by inclusion in something like a "Linux Distro" which carries a strong promise of well-audited software. Emacs and VSCode and whatnot skate on reputation, basically, but the community tends to frown on "here: download my new binary tool for all your editting needs!".
fragmede
10 months ago
I like how ML training is the worst thing you can think of and not stealing your identity and bank account information and all your money or seeing nudes or something actually damaging that normal people care about.
ajross
10 months ago
I was trying to be trendy and hip and avoid hyperbole. But yeah, that too. Also boring stuff like corporate espionage and malware distribution.
cudgy
10 months ago
Are you assuming that the ML company does not sell its training data to scammers or others that will sell to scammers?
fragmede
9 months ago
Yes, I am assuming that AI won’t sell the text of my chats to scammers just like I assume Google won’t sell my Google search history to anybody that wants to personally hurt me. I distinguish between an ad company wanting to make money showing me ads and an individual calling my parents trying to get them to send the scammer money saying that I’m the hospital so cash app them $600 please.
notpushkin
10 months ago
> Create new Drive files, or modify existing files, that you open with an app or that the user shares with an app while using the Google Picker API or the app’s file picker.
Yeah, this should do the trick. From the cursory look seems like there’s no Google Picker UI for Android though?
Google actions are somewhat ridiculous here (they should audit iA’s app, not their cloud), but the reason is pretty solid IMO. If you choose an overly broad scope, be prepared for scrutiny.
Gigachad
10 months ago
You don't need a google drive specific picker. Drive adds itself in to the OS file picker, on iOS at least. And that lets any app access any file without even using the drive api or having an api key. The key point is that iOS and Android control that access so the app can't open a file the user didn't select.
If you want that functionality, you can do it easily for files the app created itself, or if you want access to literally everything without user oversight, you need a security audit.
mvdtnz
10 months ago
This is the second time I have seen you in this thread talk about how the iOS picker behaves. This is irrelevant. We're not discussing iOS.
consteval
10 months ago
It is relevant, because it demonstrates it's both possible and common. Therefore, complaints about this not working in Android speaks more to insufficiencies in the file picker, not true capabilities.
A lot of people are arguing you need more powerful permissions due to hard requirements. Well, it's not a hard requirement in this case, it's a defect with the Android file picker and it should be fixed THERE. If the Android file picker does not currently work this way, which I bet it does.
notpushkin
10 months ago
I’d expect something similar on Android actually – there is the relevant API at least.
notpushkin
10 months ago
In some cases you might want to retain access to the file. I think the OS file picker doesn’t allow that while the Google Picker does.
StewardMcOy
10 months ago
Strong disagree.
Part of my disagreement comes from the fact that the process is inconsistent and time-consuming from Google's end. If you read more of the article, you can get a glimpse of how poorly it's run. And iA have been lucky here. Some apps submit to Google for OAuth approval and get stuck waiting for approval for years.
But another part comes from the fact that drive.file access is not enough for some apps, and iA Writer falls into that category. Some apps really do need full access. (But Google told them they only need read-only access, lol.)
Additionally, having been though the CASA process, it has been pure security theater. No offense to the people working on it, because I'm sure they have good intentions, but letting developers run a python script on their app to self-report vulnerabilities really doesn't solve anything. I suspect this is why Google took away the free option and are requiring a review by a security lab.
The problems with this is that Google only guarantees a minimum cost, not a maximum cost, and that not every company is in a position to let the lab Google has partnered with see their code. And finally, I'm skeptical at how much a security lab is going to find with a quick check on a small payment.
And frankly, Google Drive access is not worth the cost. Even if it's $500/year in fees, + time working with the lab (which, as iA pointed out, can be a huge opportunity cost), in most cases, the kinds of apps that need full access won't suffer $500/year in damages by removing Google Drive support.
And Google Drive doesn't exist in a vacuum. There are other cloud storage solutions out there. Amazon doesn't make developers jump through their ridiculous hoops to access the S3 API.
notpushkin
10 months ago
> But another part comes from the fact that drive.file access is not enough for some apps, and iA Writer falls into that category.
How so? (I agree that the readonly category doesn’t work for iA, but drive.file should be fine IMO.)
> Amazon doesn't make developers jump through their ridiculous hoops to access the S3 API.
With S3, you only get access to your app’s data, not everything user has. If that’s what you want drive.file or drive.appfolder permissions are what you need: https://developers.google.com/drive/api/guides/api-specific-...
StewardMcOy
10 months ago
> How so? (I agree that the readonly category doesn’t work for iA, but drive.file should be fine IMO.)
Arguably, I'm not as familiar with iA as I should be, having only tried it briefly a while ago, but IIRC it basically mounts your file store as if it were a filesystem and allows you to completely manage files. Add, rename, delete, etc. And it's not just limited to iA's App's data. Part of the sales point is to be able to go between iA and Google Docs.
And it allows you to search for a string in every file in a folder. Sure, it has to download every file to do that, and that can be a bad idea, but it if you have a folder of 100 files, 100 KB each, that's reasonable. But with drive.file, what are you going to do? Show a picker for each of those 100 files?
And this is for a native app. It would have to load up a web view to show the picker.
> With S3, you only get access to your app’s data, not everything user has.
This is incorrect. With the S3 API, you could implement the search every file in a folder feature I mentioned above, no pickers required. Just use ListObjects (or ListBucket) along with GetObject.
And again, Google is locking this kind of access behind a CASA review, and while I don't want to insult anyone's intentions, CASA review is fairly useless. Even the paid option is more security theater than anything else. And it's a burden put on developers that other services don't require.
consteval
10 months ago
IMO, these "insufficiencies" should be addressed by safer APIs. The solution here should NOT be to just grant the app file permissions across the board.
For example, Search could be expressed as a separate permission and API operation. I see no reason why you need full file access to do a text search - the OS API can, and should, handle that.
The trouble here is people store all kinds of things in Google Drive, includes photographs. These could easily be exfiltrated to a server. This could cause identity theft, black mail, you name it. Performing a text search IMO is not a good enough justification for the potential risk of that situation.
iggldiggl
10 months ago
> For example, Search could be expressed as a separate permission and API operation.
Then maybe after years Google eventually deigns to add a search API, which is great, except you actually also want to do search and replace and they didn't implement that. Or maybe you want to do search and/or replace with regex support, and the new API doesn't support that either.
StewardMcOy
10 months ago
iggldiggl makes some good points about APIs not being flexible enough, but I also have to ask why go through the complexities of extra APIs? If I'm installing an editor and using it to open my files, I already trust it implicitly with all of my data. That means I also trust it to be reasonably free of RCEs that could modify or exfiltrate my data.
I could see your point if this was some fly-by-night web app accessing Google documents. But this is a native app I'm running on my phone or computer. I may have legitimate reasons to access those photos, to embed them into a document.
consteval
9 months ago
> already trust it implicitly with all of my data
I don't think this is the case for most people in this scenario - at least in a general sense.
For a typical desktop editor sure, but for a mobile editor that goes through Google Drive I wouldn't expect it to have any access to any file in my Drive. And if it did, this could be trivially be used for many horrible things. Meaning, the "type" of data stored in Google Drive versus someone's Documents folder is very different.
notpushkin
10 months ago
> IIRC it basically mounts your file store as if it were a filesystem and allows you to completely manage files.
This is not something I’d want a text editor to do! (The search feature is cool though.) If the point really is to make an alternative UI to both Drive and Docs, this makes sense, but again, I wouldn’t expect that.
> With the S3 API, you could implement the search every file in a folder feature
This is useful! Not my point though.
With the S3 API, you usually create one or multiple buckets per app – perhaps even one bucket per user. Your app manages those buckets, so it’s natural that it has access to the whole thing. (You can ask users to plug in their own S3 buckets, but that’s also not something I’d expect from iA.)
With Google Drive API, you mount user’s own Drive storage. This includes all files in it, some created by other apps, some uploaded by the user directly. Your app doesn’t usually need access to everything I have in there.
S3 and Drive are just two completely different products, for different people, with different API security models. You can use S3 as a personal storage space (I do actually, but with Backblaze), and perhaps you can make your app store file uploads on Dropbox for example but it’s not straightforward.
> CASA review is fairly useless
Absolutely. I’m just arguing about intentions actually – granular permissions are net good. The processes at Google are quite ridiculous indeed.
MagerValp
10 months ago
> This is not something I’d want a text editor to do!
But this is exactly how it works in Sublime or VS Code or what have you on the desktop. You open a project folder and then you can click any file to edit, add new files, rename them, and so on.
It's been decades since I last used a text editor where you had to open each file individually (CygnusEd!).
consteval
10 months ago
This is changing on Desktop, at least Linux. See flatpak, Wayland, and freedesktop portals.
StewardMcOy
10 months ago
> With the S3 API, you usually create one or multiple buckets per app – perhaps even one bucket per user. Your app manages those buckets, so it’s natural that it has access to the whole thing. (You can ask users to plug in their own S3 buckets, but that’s also not something I’d expect from iA.)
Then I think we have completely opposite expectations of what a native editor should do here. I don't want to use iA to create an app-specific folder for all of its files, I want to use it to edit all of my existing files in all of my buckets. Who organizes their files by app? Imagine if VS Code could only edit projects in a folder it created to manage files? What about Photoshop? Should I be forced to save images in the Photoshop folder and then move them to my VS Code folder?
I would never "create one or multiple buckets per app," because my life isn't app-centric, it's document-centric.
On S3, I organize my buckets by project, or sometimes by client. On Docs, that's how I organize my folders. If I download a new editor, I expect it to be able to edit any and all of the files without fuss, whether they're on my local disk, on S3, or on Google Drive.
If I'm running an editor, it really does need to "access everything I have in there," including files, created by other apps or uploaded by the user directly.
EDIT: I'm not trying to question the intentions of those who think apps that access all files should be more secure. But the current process is untenable for independent developers, and in my experience, does little to actually improve the security of the app. iA is correct to drop drive support rather than attempt to shoehorn their app into a scope it's not designed for or waste time and money jumping through these useless hoops.
notpushkin
10 months ago
Okay, I think we’re almost on the same page here. Tl;dr: I agree that giving access to files one by one is not a right scope for iA, but I think giving access to all files is much much worse. It shouldn’t be all or nothing.
> Imagine if VS Code could only edit projects in a folder it created to manage files?
This would indeed be untenable! And of course granting access to individual files doesn’t work for VS Code too. If you grant access to a whole folder at a time though, it’s much more reasonable: it will be able to access the project I’m working on, but not my /etc/passwd (unless I explicitly open it of course). This is how it works on desktop Linux with Flatpak for example, as another poster mentioned around here. I have no idea if Google Drive can do that, but it should.
> If I download a new editor, I expect it to be able to edit any and all of the files without fuss, whether they're on my local disk, on S3, or on Google Drive.
I would expect that as well, but I also would like to choose what it should have access to.
It’s reasonable to expect VS Code to be able to move files around in your project, for which it needs full access to the project folder. It’s also reasonable to be able to jump to a definition somewhere in /usr/include. But it shouldn’t be able to arbitrarily access all your stuff unless you let it.
Same thing with iA Writer. If I’m working on a book and have one chapter per file, it should have access to the whole folder to be able to show the list of chapters, create new ones etc. It shouldn’t have access to my family photos archive or the tax return I’m preparing or something.
Based on what I gather from iA’s website, giving access on a folder basis should be the perfect solution for them. I have no idea if Google supports this, and if it doesn’t then I agree they should drop the support altogether: giving access file by file doesn’t work, and having one big “iA Writings” folder is just janky.
> does little to actually improve the security of the app
Technically, maybe. It does help a lot in case the app actually gets hacked though, or if the developers go rough and decide to mine your data or something.
StewardMcOy
10 months ago
> if Google supports this, and if it doesn’t then I agree they should drop the support altogether
Last time I used it, the file picker was by file, not folder, and was fairly janky. By that I mean it was slow and cumbersome to use. Selecting one file was bad enough, let alone multiple.
But selecting an entire folder would definitely be better, assuming that the experience could be much improved. I still think there needs to be a way to bypass it for apps that truly need access to every single file--even at the risk of attackers exploiting the app or the developer deciding to turn evil--but that's getting sidetracked from the real argument. So for now, let's assume I agree that the select a folder solution is perfect.
The real issue is that Google should not be the arbiter of what apps are allowed that kind of access, and they certainly shouldn't be making small developers jump through the expensive, ineffective CASA hoop to get it.
That's the real reason iA's discontinuing development on Android, and they're right to do so. Google Drive should have a permissions model that allows for users to control how much access an app should have. That would solve the issue without the unnecessary bureaucracy, the mistakes (like suggesting an editor be read-only), and added expense that other platforms don't put on third-party developers.
notpushkin
10 months ago
> Last time I used it, the file picker was by file, not folder, and was fairly janky.
Well, that sounds like Google haha. I’d drop it just for that reason alone, to be honest.
> The real issue is that Google should not be the arbiter of what apps are allowed that kind of access, and they certainly shouldn't be making small developers jump through the expensive, ineffective CASA hoop to get it.
Absolutely. In case of whole Drive access, I think a big scary warning should suffice here: the user should understand what they get into, but still be able to continue if they want. Perhaps the warning can be made less scary if the app passes an audit (something more suitable than CASA, of course).
mgraczyk
10 months ago
FWIW they don't allow developers to self verify any more (as of this year).
StewardMcOy
10 months ago
Which is why I said
> I suspect this is why Google took away the free option and are requiring a review by a security lab.
mgraczyk
10 months ago
thanks, missed that!
spencerchubb
10 months ago
yeah I think android's policy is pretty reasonable here. if you're gonna have read/write access to everything in my google drive, you should be scrutinized pretty heavily.