Now, while the amaroK server <-> Wikipedia server is locked by a secret
key, the amaroK client <-> amaroK server probably isn't. Anybody can make a request to the amaroK server, claiming to be amaroK -- an abuse then DoSs the entire amaroK user base when it hits the maximum requests for the amaroK key. <<
Well, that just pushes the problem from one server to another. It
doesn't change the overall analysis I gave. <<
I would phrase it as pushing the problem from Wikipedia to the app provider. Your statement about the client/amaroK key security as being "probably insecure" is speculation, and ultimately, that isn't Wikipedia's problem. You obviously have no control over other people's server or key security, and trying to secure public information is generally impossible anyway. People will find a way around the limitations of a public API. Google's webservices API make it easy to query and parse the results, but Google's HTML page returns are very clean and easy to parse anyway, making it simple to build a webservice that just scrapes the page.
Wikipedia is also clean html, and a scraper is simple to make. But you have to ignore those sorts of people. Make it easy for legit users to access what they need and ignore the people that are going to ignore your rules anyway. Introduce stricter controls when it becomes clearly necessary, but not before.
- MHart - http://taxalmanac.org