As per mentioned Ghisler page: "The security assessment would have to be performed by a specialized company, and costs up to $75'000 per year and program (so $150'000 for 32bit+64-bit). This is not sustainable even with a subscription." [0]
This is death kiss to indie developement.
But paradoxically it is great. Killing interoperability is nail to coffin. This brings more and more focus to alternative solutions out of Google market, especially in independent software area. Like yt-dlp, FreeTube, F-Droid - actually all my family uses them and I recommend it to everyone. I can't wait to get some alternative GDrive client lib which simulates browser to throw data over that garden wall, and I don't care if it nags with captcha. The more hassle the more people are going to hate that ivory tower.
Even the "audit" they require for increasing something simple as your YouTube API quota is already annoying and a massive waste of time, and this is not even close to the one they are requiring from Panic.
The quota increase process is roughly:
1) Fill out the same form every year from scratch
2) Send it into the black hole that's Google "support"
3) A few weeks later receive a reply from someone asking a irrelevant question to our use case
4) Two weeks later another person replies asking for screenshots of the "implementation", so you send a screenshot of "func storeTrailerMetadata()"
5) Another two weeks later, another automated person replies that you got approved.
I know everyone loves to dunk on Google, and I definitely agree their communication and customer service to app developers is shite, but this change to permissions scope is a good thing. If you have full, unfettered access to large number of people's Google Drive data, you're a huge target for malevolent actors. If you can't afford the new audit requirements (which I've done and are quite easy - if anything I'm sympathetic to the argument that they're more "box ticking" than valuable security audits), then I'd really question your ability to appropriately safeguard so much critically private data. For reference, these audits are about 1/20th as complicated as a full SOC 2 audit, for example.
FWIW I'm not previously familiar with this Transmit app, but based on their use cases (e.g. backup) it sounds like the limited "drive.file" scope wouldn't work for them. Still, if you want complete, unfettered access to my entire Drive account, I don't think it's a bad thing that Google is enforcing some minimal security standards.
> But then… a couple of months later, Google completely removed the option for us to scan our own code. Instead, to keep access to Google Drive, we would now have to pay one of Google’s business partners to conduct the review.
What a racket. Smells downright anti-competitive The EU will have fun with this when it catches up.
There is a clear subtext to this and the Play Store changes: everyone interacting with the Google ecosystem is going to be pinned down and deanonymized with rights assigned based on legal identities. This will be done in the name of security. There is no freedom in who you trust here.
The big question here is if all this was preemptive or the response to something.
imhoguy ·74 days ago
This is death kiss to indie developement.
But paradoxically it is great. Killing interoperability is nail to coffin. This brings more and more focus to alternative solutions out of Google market, especially in independent software area. Like yt-dlp, FreeTube, F-Droid - actually all my family uses them and I recommend it to everyone. I can't wait to get some alternative GDrive client lib which simulates browser to throw data over that garden wall, and I don't care if it nags with captcha. The more hassle the more people are going to hate that ivory tower.
[0] https://www.ghisler.com/googledrivehelp.htm
Show replies
dewey ·74 days ago
The quota increase process is roughly:
1) Fill out the same form every year from scratch
2) Send it into the black hole that's Google "support"
3) A few weeks later receive a reply from someone asking a irrelevant question to our use case
4) Two weeks later another person replies asking for screenshots of the "implementation", so you send a screenshot of "func storeTrailerMetadata()"
5) Another two weeks later, another automated person replies that you got approved.
Show replies
hn_throwaway_99 ·74 days ago
I know everyone loves to dunk on Google, and I definitely agree their communication and customer service to app developers is shite, but this change to permissions scope is a good thing. If you have full, unfettered access to large number of people's Google Drive data, you're a huge target for malevolent actors. If you can't afford the new audit requirements (which I've done and are quite easy - if anything I'm sympathetic to the argument that they're more "box ticking" than valuable security audits), then I'd really question your ability to appropriately safeguard so much critically private data. For reference, these audits are about 1/20th as complicated as a full SOC 2 audit, for example.
FWIW I'm not previously familiar with this Transmit app, but based on their use cases (e.g. backup) it sounds like the limited "drive.file" scope wouldn't work for them. Still, if you want complete, unfettered access to my entire Drive account, I don't think it's a bad thing that Google is enforcing some minimal security standards.
Show replies
davedx ·74 days ago
What a racket. Smells downright anti-competitive The EU will have fun with this when it catches up.
Show replies
fidotron ·74 days ago
The big question here is if all this was preemptive or the response to something.
Show replies