Trust me, we thought out all the scenarios. Here are the scenarios: 1. Just enable it in app.yaml - completely useless from a security perspective, an attacker would just enable it, download code, upload malicious code and steal data/compromise users' data over time
2. Make it opt-in, so you can't download the code unless there's a version of app.yaml that has this enabled uploaded So an attacker can't download previous versions, but the problem here is: who would use this feature? The type of folks that want code download are unlikely to have known about this feature prior to uploading an app version. 3. Just enable it, allow disabling in app.yaml and don't allow versions uploaded before 1.4.0 going live to be downloaded Same problems - users that ask for this feature won't benefit. 4. One way disable button Seems to be the best compromise for all worlds. People that don't needs this feature will just turn it off once and never, ever worry about it again. Developers that need this feature (generally seem like neophyte developers who are still learning about backups and source control) won't know to turn it off, and when they lose their code, they'll be relieved they can download their code. In general we do NOT recommend this feature as a replacement for: 1. Backups 2. Source control A lot of folks come to App Engine because they're learning how to program, and they're not aware of source control or have "always back up your stuff" hammered in yet. See this blog post: http://www.7bks.com/blog/179001 I'm going to be pretty adamant about not using this feature as a replacement for source control or backups in the groups, but I'm open to hearing about other reasons developers want this feature and why a permanent opt-out button is a bad idea. -- Ikai Lan Developer Programs Engineer, Google App Engine Blogger: http://googleappengine.blogspot.com Reddit: http://www.reddit.com/r/appengine Twitter: http://twitter.com/app_engine On Wed, Nov 24, 2010 at 12:26 PM, Thomas Johansson <[email protected]>wrote: > If the guy uploading enables downloads to be malicious, he could > equally just post up the code somewhere. > > That being said, I hadn't thought about the case of accidentally re- > enabling and then having the account compromised. Even still, not > being able to ever turn it back on seems short sighted. Perhaps a way > to enable it similar to how disabling an app works, so it can't be > done maliciously. > > On Nov 24, 6:07 pm, Barry Hunter <[email protected]> wrote: > > Being a one time nuke, means its not possible to for a developer to > > accidentally (or maliciously) re enable downloads :) > > > > One of the main objections to 'download' is it makes it easier for > > someone who shouldnt get their hands on the source code. Yes the fact > > only the uploading developer gets it, makes it more secure, but not > > totally. Being able to turn off downloads, is another serious barrier > > to the 'thief'. Someone who as invested IP in their code, wants to be > > able to do everything possible to protect that. > > > > On 24 November 2010 16:25, Thomas Johansson <[email protected]> wrote: > > > > > Why was the decision made to make this an app-wide one time only nuke > > > button? > > > > > I think enabling/disabling it in app.yaml per-upload would be much > > > more useful. > > > > > On Nov 23, 8:30 pm, "Ikai Lan (Google)" > > > <[email protected]<ikai.l%[email protected]> > > > > > wrote: > > >> You'll be able to download code, but anyone that wants to turn it off > will > > >> be able to go to their admin dashboard and push a one-way, > irreversible > > >> button to disallow this feature. > > > > >> Please do not depend on this feature to do source control. > > > > >> -- > > >> Ikai Lan > > >> Developer Programs Engineer, Google App Engine > > >> Blogger:http://googleappengine.blogspot.com > > >> Reddit:http://www.reddit.com/r/appengine > > >> Twitter:http://twitter.com/app_engine > > > > >> On Tue, Nov 23, 2010 at 11:12 AM, Sandeep Koduri > > >> <[email protected]>wrote: > > > > >> > Hello ikai, > > > > >> > Thanks and congrats for the great release. > > > > >> > Will there be an option for source code download control in > app.yaml. > > >> > according to the mail thread in pre-release of 1.3.8 we thought this > will > > >> > be implemented, and that would be very helpful. > > > > >> > the feature announced now will be a very good add-on but, by default > if the > > >> > config is to be on app.yaml. > > >> > Will there be any option for the creator of the app to get any > versions > > >> > source code. > > > > >> > We have some use cases relying on this option. so please make a > reply about > > >> > this, accordingly we can streamline the development process at our > team, > > > > >> > Thanks > > > > >> > On Fri, Nov 19, 2010 at 3:57 AM, Ikai Lan (Google) < > > >> > [email protected] <ikai.l%[email protected]> < > ikai.l%[email protected] <ikai.l%[email protected]>>> wrote: > > > > >> >> Hey everyone, > > > > >> >> I just wanted to let everyone know that prerelease SDK 1.4.0 is > out! Get > > >> >> it from the Google Code project: > > > > >> >>http://code.google.com/p/googleappengine/downloads/list > > > > >> >> We're still working on the docs and will have them ready for the > final > > >> >> release, so if there are any questions about how to use the new > features, > > >> >> feel free to ask on this thread and I'll do my best to clarify > them. The > > >> >> release notes are below. This is an EXCITING release: > > > > >> >> Python > > >> >> ------------ > > >> >> - The Always On feature allows applications to pay and keep 3 > instances of > > >> >> their > > >> >> application always running, which can significantly reduce > application > > >> >> latency. > > >> >> - Developers can now enable Warmup Requests. By specifying a > handler in > > >> >> an > > >> >> app's app.yaml, App Engine will attempt to to send a Warmup > Request to > > >> >> initialize new instances before a user interacts with it. This > can > > >> >> reduce the > > >> >> latency an end-user sees for initializing your application. > > >> >> - The Channel API is now available for all users. > > >> >> - Task Queue has been officially released, and is no longer an > > >> >> experimental > > >> >> feature. The API import paths that use 'labs' have been > deprecated. Task > > >> >> queue > > >> >> storage will count towards an application's overall storage > quota, and > > >> >> will > > >> >> thus be charged for. > > >> >> - The deadline for Task Queue and Cron requests has been raised to > 10 > > >> >> minutes. > > >> >> Datastore and API deadlines within those requests remain > unchanged. > > >> >> - For the Task Queue, developers can specify task retry_parameters > in > > >> >> their > > >> >> queue.yaml. > > >> >> - Metadata Queries on the datastore for datastore kinds, > namespaces, and > > >> >> entity > > >> >> properties are available. > > >> >> - URLFetch allowed response size has been increased, up to 32 MB. > Request > > >> >> size > > >> >> is still limited to 1 MB. > > >> >> - The Admin Console Blacklist page lists the top blacklist rejected > > >> >> visitors. > > >> >> - The automatic image thumbnailing service supports arbitrary crop > sizes > > >> >> up to > > >> >> 1600px. > > >> >> - Overall average instance latency in the Admin Console is now a > weighted > > >> >> average over QPS per instance. > > >> >> - The developer who uploaded an app version can download that > version's > > >> >> code > > >> >> using the appcfg.py download_app command. This feature can be > disabled > > >> >> on > > >> >> a per application basis in the admin console, under the > 'Permissions' > > >> >> tab. > > >> >> Once disabled, code download for the application CANNOT be > re-enabled. > > >> >> - Fixed an issue where custom Admin Console pages did not work for > Google > > >> >> Apps for your Domain users. > > >> >> - Allow Django initialization to be moved to appengine_config.py to > avoid > > >> >> Django version conflicts when mixing webapp.template with pure > Django. > > >> >> http://code.google.com/p/googleappengine/issues/detail?id=1758 > > >> >> - Fixed an issue in the dev_appserver where get_serving_url did not > work > > >> >> for transparent, cropped PNGs: > > >> >> http://code.google.com/p/googleappengine/issues/detail?id=3887 > > >> >> - Fixed an issue with the DatastoreFileStub. > > >> >> http://code.google.com/p/googleappengine/issues/detail?id=3895 > > > > >> >> Java > > >> >> --------- > > >> >> - The Always On feature allows applications to pay and keep 3 > instances of > > >> >> their > > >> >> application always running, which can significantly reduce > application > > >> >> latency. > > >> >> - Developers can now enable Warmup Requests. By specifying a > handler in > > >> >> an > > >> >> app's appengine-web.xml, App Engine will attempt to to send a > Warmup > > >> >> Request > > >> >> to initialize new instances before a user interacts with it. This > can > > >> >> reduce > > >> >> the latency an end-user sees for initializing your application. > > >> >> - The Channel API is now available for all users. > > >> >> - Task Queue has been officially released, and is no longer an > > >> >> experimental > > >> >> feature. The API import paths that use 'labs' have been > deprecated. Task > > >> >> queue > > >> >> storage will count towards an application's overall storage > quota, and > > >> >> will > > >> >> thus be charged for. > > >> >> - The deadline for Task Queue and Cron requests has been raised to > 10 > > >> >> minutes. > > >> >> Datastore and API deadlines within those requests remain > unchanged. > > >> >> - For the Task Queue, developers can specify task retry-parameters > in > > >> >> their > > >> >> queue.xml. > > >> >> - Metadata Queries on the datastore for datastore kinds, > namespaces, and > > >> >> entity > > >> >> properties are available. > > >> >> - URL Fetch allowed response size has been increased, up to 32 MB. > Request > > >> >> size > > >> >> is still limited to 1 MB. > > >> >> - The Admin Console Blacklist page lists the top blacklist rejected > > >> >> visitors. > > >> >> - The automatic image thumbnailing service supports arbitrary crop > sizes > > >> >> up to > > >> >> 1600px. > > >> >> - Overall average instance latency in the Admin Console is now a > weighted > > >> >> average over QPS per instance. > > >> >> - Added a low-level AysncDatastoreService for making calls to the > > >> >> datastore > > >> >> asynchronously. > > >> >> - Added a getBodyAsBytes() method to QueueStateInfo.TaskStateInfo, > this > > >> >> returns > > >> >> the body of the task state as a pure byte-string. > > >> >> - The whitelist has been updated to include all classes from > > >> >> javax.xml.soap. > > >> >> - Fixed an issue sending email to multiple recipients. > > >> >> http://code.google.com/p/googleappengine/issues/detail?id=1623 > > > > >> >> As usual, we value your feedback, so don't hesitate to evaluate > these SDKs > > >> >> and let us know. Be mindful that the server-side components have > not been > > >> >> deployed yet, so uploaded code shouldn't work. > > > > >> >> Happy coding! > > > > >> >> -- > > >> >> Ikai Lan > > >> >> Developer Programs Engineer, Google App Engine > > >> >> Blogger:http://googleappengine.blogspot.com > > >> >> Reddit:http://www.reddit.com/r/appengine > > >> >> Twitter:http://twitter.com/app_engine > > > > >> >> -- > > >> >> You received this message because you are subscribed to the Google > Groups > > >> >> "Google App Engine" group. > > >> >> To post to this group, send email to > [email protected]. > > >> >> To unsubscribe from this group, send email to > > >> >> [email protected]<google-appengine%[email protected]> > <google-appengine%[email protected]<google-appengine%[email protected]> > > > > >> >> . > > >> >> For more options, visit this group at > > >> >>http://groups.google.com/group/google-appengine?hl=en. > > > > >> > -- > > >> > Regards > > >> > Sandeep Koduri > > >> > cricwaves.com > > > > >> > -- > > >> > You received this message because you are subscribed to the Google > Groups > > >> > "Google App Engine" group. > > >> > To post to this group, send email to > [email protected]. > > >> > To unsubscribe from this group, send email to > > >> > [email protected]<google-appengine%[email protected]> > <google-appengine%[email protected]<google-appengine%[email protected]> > > > > >> > . > > >> > For more options, visit this group at > > >> >http://groups.google.com/group/google-appengine?hl=en. > > > > > -- > > > You received this message because you are subscribed to the Google > Groups "Google App Engine" group. > > > To post to this group, send email to [email protected] > . > > > To unsubscribe from this group, send email to > [email protected]<google-appengine%[email protected]> > . > > > For more options, visit this group athttp:// > groups.google.com/group/google-appengine?hl=en. > > > > > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<google-appengine%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
