Oh just one more thing with regards to my example. Whilst the scenario outlined could never happen on appengine, and doesn't directly relate the the OP's request for download access the ramifications of the problem my friend experienced does have relevance.
Because he could directly write to the filesystem on the hosting provider and as a result read source back, he did all of his development directly on the server (and this despite years of working with him on different projects where we always use svn,) he didn't for this project. Which means not only was his work/site compromised he didn't have a a clean source controlled version of his work. This has meant a lot of work for him recovering and ensuring everything is cleaned up. My feeling was it was just too easy for him (as we was the sole person working on the project) to fall back to bad habits. By not allowing people to read from the code base, and treat it as a deploy only environment the is a fairly strong reinforcing of more robust development practices. T On Mar 28, 7:55 pm, Tim Hoffman <[email protected]> wrote: > No emotions here, just a practical realization of what goes on out > there (or doesn't). > > Here is an example > > In the last few days a friend of mine (who uses a PHP based framework > which shall remain nameless) > has had a bunch of directories/files and .htaccess injected into his > hosted apps. > > The commercial provider of the php framework is blaming the hosting > providers php setup > and the hosting provider is blaming the php framework provider, and he > is stuck in the middle. > > With app engines model this is just not possible, unless his userid/ > credentials are provided/hacked. > > So no I do not believe this is a witch hunt at all. I have been > working with web technlogies since the mid 90's > and honestly so many people get it wrong in terms of security. > > From my personal experience googles approach is right on the mark. > > Rgds > > T > > On Mar 28, 4:58 pm, Baz <[email protected]> wrote: > > > > > While I have no need for this since I use and love SCM's, none of you > > have made any reasonable point on why it should not be allowed. In > > many other environments you can ftp code up and down, or basically get > > the code the same way you put it up. No-one said the code should be > > available for anyone in the world to download (Wesly), it would only > > be accessible using the same credentials that you used to upload it. > > And no-one advocated making it the standard way of working, but > > perhaps there are exceptional situations where this would make sense. > > Then again, who are any of you to tell someone how to work? Again, I > > don't care either way, but this feels like a witch hunt based on > > irrational emotions. -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
