> OAUTHDEBUG_LEGACY_UNSAFE?
That sounds better
> I think I'm missing something; how does the choice of .c/.h change
> things? There's no static tracking in v1 of the patchset
Eh, sorry about that, I was sure that I sent a version which handled
that to the list, but apparently I didn't. It didn't use
atomics/mutexes, so maybe it's better.
> `UNSAFE` is intended to be a weak defense against social engineering
> attacks. So these warnings need to be translated, if possible, and we
> should not provide instructions on how to defeat that defense.
With the same logic, shouldn't we print a very visible warning when
somebody enables trace? Since it's a long output, maybe to both the
beginning and end of the flow?
