Comment 3 for bug 782690

As the upstream dev who wrote Shotwell's Picasa Connector, I can clarify one or two things here. What we're really talking about here are two separate issues:

Issue 1: does Shotwell store any user credentials locally that might present a security risk?

Issue 2: should Shotwell use OAuth authentication for Picasa?

As regards issue 1, Shotwell stores no password information locally whatsoever. When the user types in his or her password in the Picasa Login Pane, it's held in memory only to prepare a secure HTTP request to retrieve a ClientLogin access token. When we request this access token, Shotwell only asks for a limited set of permissions. So there's no risk of Shotwell reading your GMail.

As regards issue 2, Shotwell uses an older Google authentication API called ClientLogin instead of OAuth. This older API is now deprecated and is not recommended for new development (see https://developers.google.com/accounts/docs/AuthForInstalledApps) so we should probably update the Shotwell Picasa Connector to use OAuth. That said, there's no indication that ClientLogin is any less secure than OAuth. ClientLogin is just old.