Clarifying magnatune support in amarok

John Buckman john at magnatune.com
Sat Nov 11 08:06:14 UTC 2006 

> The reason is that it is not really clear how the whole thing is
> handled. Most specifically, whether e.g. credit card information  
> can be
> seen by people from the amarok developer team in some magnatune
> transaction history or something.
>
> http://lists.opensuse.org/opensuse/2006-11/msg00224.html
> http://lists.opensuse.org/opensuse/2006-11/msg00228.html
> http://lists.opensuse.org/opensuse/2006-11/msg00234.html
> http://lists.opensuse.org/opensuse/2006-11/msg00244.html

The beauty of open source is that you can just look at the source and  
find out. :D

in the function:
void MagnatunePurchaseHandler::processPayment
in
src/magnatunebrowser/magnatunepurchasehandler.cpp

Is where things happen.  The purchase info is submitted via https with:

>   QString purchaseURL = "https://magnatune.com/buy/buy_dl_cc_xml? 
> cc=" + ccNumber + "&mm=" + expMonth + "&yy="+ expYear + "&sku=" +  
> albumCode + "&name=" + name + "&email=" + email +  
> "&id=amarok&amount=" + amountString;

the only logging I see is if debug logging is on, in which case the  
purchase url is stored in the debug log.
>    debug() << "purchase url : " << purchaseURL << endl;	

The communication is direct between the client machine and magnatune,  
and does not touch anyone else.  The call to Magnatune's HTTPS side  
is via the KDE storedGet() call:

> m_resultDownloadJob = KIO::storedGet( KURL(purchaseURL), false,  
> false );

I'm CCking Nikolaj (the Amarok developer who did the Magnatune  
integration work) in case there is other logging going on that I  
don't see.

--
> It's not that I'm paranoid nor that I'm implying any bad intentions
> but.. well.. IMO it must be as transparent as possible ;)
>
> I couldn't find any detailed information about the transaction process
> and how the personal data of the users is secured.
>
> Could you please take a few minutes to enlighten us about it ? (or  
> point
> me to a link if I didn't look hard enough)

Nikolaj, can you help? I don't see any saving of personal data  
myself, it looks more like you implemented a form that submits via  
HTTPS GET, and the security and issues are the same as when using a  
web browser.

As to this comment:
> Like the implementation how your credit card information is  
> submitted and that
> it is posted under the personal account of one Amarok developer at  
> Magnatune?

I assume they're referring to the "id=nikola" in the purchase url  
that was in the beta versions of Amarok, which has now been changed  
to "id=amarok".  This is simply used to track the source of the  
purchase and has no nefarious intent.

-john

More information about the Amarok mailing list