Don't worry about it, the developer can only download the source code deployed by himself.
---------- keakon On Sat, Nov 27, 2010 at 1:53 AM, Sandeep Koduri <[email protected]>wrote: > Hello Ikai, > > We are not using as a source code control system, we have a core app on > a version, its duty is to aggregate and store data. > we have a team who are building modules which uses the data in the > datastore. > > The core app contains some confidential info about the sources of the data, > which we dont want to expose to the rest. > but we want the other versions updated by the dev can be downloadable. > > What i meant to say is once i upload app with the configuration in app > config as *not downloadable..* > even if someone tries to download the app using the configuration in app > config as *downloadable, h*e will not be able to download, > As the configuration of the app in the particular version is set as *not > downloadable* previously at the time of upload.. > so the source code is safe for the particular version. > > I feel this kind of option for source code download feature will be more > useful. > > On Thu, Nov 25, 2010 at 2:21 AM, Ikai Lan (Google) < > [email protected] <ikai.l%[email protected]>> wrote: > >> Trust me, we thought out all the scenarios. Here are the scenarios: >> >> 1. Just enable it in app.yaml >> - completely useless from a security perspective, an attacker would just >> enable it, download code, upload malicious code and steal data/compromise >> users' data over time >> >> 2. Make it opt-in, so you can't download the code unless there's a version >> of app.yaml that has this enabled uploaded >> So an attacker can't download previous versions, but the problem here is: >> who would use this feature? The type of folks that want code download are >> unlikely to have known about this feature prior to uploading an app version. >> >> 3. Just enable it, allow disabling in app.yaml and don't allow versions >> uploaded before 1.4.0 going live to be downloaded >> Same problems - users that ask for this feature won't benefit. >> >> 4. One way disable button >> Seems to be the best compromise for all worlds. People that don't needs >> this feature will just turn it off once and never, ever worry about it >> again. Developers that need this feature (generally seem like neophyte >> developers who are still learning about backups and source control) won't >> know to turn it off, and when they lose their code, they'll be relieved they >> can download their code. >> >> In general we do NOT recommend this feature as a replacement for: >> >> 1. Backups >> 2. Source control >> >> A lot of folks come to App Engine because they're learning how to program, >> and they're not aware of source control or have "always back up your stuff" >> hammered in yet. See this blog post: >> >> http://www.7bks.com/blog/179001 >> >> I'm going to be pretty adamant about not using this feature as a >> replacement for source control or backups in the groups, but I'm open to >> hearing about other reasons developers want this feature and why a permanent >> opt-out button is a bad idea. >> >> >> -- >> Ikai Lan >> Developer Programs Engineer, Google App Engine >> Blogger: http://googleappengine.blogspot.com >> Reddit: http://www.reddit.com/r/appengine >> Twitter: http://twitter.com/app_engine >> >> >> >> On Wed, Nov 24, 2010 at 12:26 PM, Thomas Johansson <[email protected]>wrote: >> >>> If the guy uploading enables downloads to be malicious, he could >>> equally just post up the code somewhere. >>> >>> That being said, I hadn't thought about the case of accidentally re- >>> enabling and then having the account compromised. Even still, not >>> being able to ever turn it back on seems short sighted. Perhaps a way >>> to enable it similar to how disabling an app works, so it can't be >>> done maliciously. >>> >>> On Nov 24, 6:07 pm, Barry Hunter <[email protected]> wrote: >>> > Being a one time nuke, means its not possible to for a developer to >>> > accidentally (or maliciously) re enable downloads :) >>> > >>> > One of the main objections to 'download' is it makes it easier for >>> > someone who shouldnt get their hands on the source code. Yes the fact >>> > only the uploading developer gets it, makes it more secure, but not >>> > totally. Being able to turn off downloads, is another serious barrier >>> > to the 'thief'. Someone who as invested IP in their code, wants to be >>> > able to do everything possible to protect that. >>> > >>> > On 24 November 2010 16:25, Thomas Johansson <[email protected]> >>> wrote: >>> > >>> > > Why was the decision made to make this an app-wide one time only nuke >>> > > button? >>> > >>> > > I think enabling/disabling it in app.yaml per-upload would be much >>> > > more useful. >>> > >>> > > On Nov 23, 8:30 pm, "Ikai Lan (Google)" >>> > > <[email protected]<ikai.l%[email protected]> >>> > >>> > > wrote: >>> > >> You'll be able to download code, but anyone that wants to turn it >>> off will >>> > >> be able to go to their admin dashboard and push a one-way, >>> irreversible >>> > >> button to disallow this feature. >>> > >>> > >> Please do not depend on this feature to do source control. >>> > >>> > >> -- >>> > >> Ikai Lan >>> > >> Developer Programs Engineer, Google App Engine >>> > >> Blogger:http://googleappengine.blogspot.com >>> > >> Reddit:http://www.reddit.com/r/appengine >>> > >> Twitter:http://twitter.com/app_engine >>> > >>> > >> On Tue, Nov 23, 2010 at 11:12 AM, Sandeep Koduri >>> > >> <[email protected]>wrote: >>> > >>> > >> > Hello ikai, >>> > >>> > >> > Thanks and congrats for the great release. >>> > >>> > >> > Will there be an option for source code download control in >>> app.yaml. >>> > >> > according to the mail thread in pre-release of 1.3.8 we thought >>> this will >>> > >> > be implemented, and that would be very helpful. >>> > >>> > >> > the feature announced now will be a very good add-on but, by >>> default if the >>> > >> > config is to be on app.yaml. >>> > >> > Will there be any option for the creator of the app to get any >>> versions >>> > >> > source code. >>> > >>> > >> > We have some use cases relying on this option. so please make a >>> reply about >>> > >> > this, accordingly we can streamline the development process at our >>> team, >>> > >>> > >> > Thanks >>> > >>> > >> > On Fri, Nov 19, 2010 at 3:57 AM, Ikai Lan (Google) < >>> > >> > [email protected] <ikai.l%[email protected]> < >>> ikai.l%[email protected] <ikai.l%[email protected]>>> wrote: >>> > >>> > >> >> Hey everyone, >>> > >>> > >> >> I just wanted to let everyone know that prerelease SDK 1.4.0 is >>> out! Get >>> > >> >> it from the Google Code project: >>> > >>> > >> >>http://code.google.com/p/googleappengine/downloads/list >>> > >>> > >> >> We're still working on the docs and will have them ready for the >>> final >>> > >> >> release, so if there are any questions about how to use the new >>> features, >>> > >> >> feel free to ask on this thread and I'll do my best to clarify >>> them. The >>> > >> >> release notes are below. This is an EXCITING release: >>> > >>> > >> >> Python >>> > >> >> ------------ >>> > >> >> - The Always On feature allows applications to pay and keep 3 >>> instances of >>> > >> >> their >>> > >> >> application always running, which can significantly reduce >>> application >>> > >> >> latency. >>> > >> >> - Developers can now enable Warmup Requests. By specifying a >>> handler in >>> > >> >> an >>> > >> >> app's app.yaml, App Engine will attempt to to send a Warmup >>> Request to >>> > >> >> initialize new instances before a user interacts with it. This >>> can >>> > >> >> reduce the >>> > >> >> latency an end-user sees for initializing your application. >>> > >> >> - The Channel API is now available for all users. >>> > >> >> - Task Queue has been officially released, and is no longer an >>> > >> >> experimental >>> > >> >> feature. The API import paths that use 'labs' have been >>> deprecated. Task >>> > >> >> queue >>> > >> >> storage will count towards an application's overall storage >>> quota, and >>> > >> >> will >>> > >> >> thus be charged for. >>> > >> >> - The deadline for Task Queue and Cron requests has been raised >>> to 10 >>> > >> >> minutes. >>> > >> >> Datastore and API deadlines within those requests remain >>> unchanged. >>> > >> >> - For the Task Queue, developers can specify task >>> retry_parameters in >>> > >> >> their >>> > >> >> queue.yaml. >>> > >> >> - Metadata Queries on the datastore for datastore kinds, >>> namespaces, and >>> > >> >> entity >>> > >> >> properties are available. >>> > >> >> - URLFetch allowed response size has been increased, up to 32 MB. >>> Request >>> > >> >> size >>> > >> >> is still limited to 1 MB. >>> > >> >> - The Admin Console Blacklist page lists the top blacklist >>> rejected >>> > >> >> visitors. >>> > >> >> - The automatic image thumbnailing service supports arbitrary >>> crop sizes >>> > >> >> up to >>> > >> >> 1600px. >>> > >> >> - Overall average instance latency in the Admin Console is now a >>> weighted >>> > >> >> average over QPS per instance. >>> > >> >> - The developer who uploaded an app version can download that >>> version's >>> > >> >> code >>> > >> >> using the appcfg.py download_app command. This feature can be >>> disabled >>> > >> >> on >>> > >> >> a per application basis in the admin console, under the >>> 'Permissions' >>> > >> >> tab. >>> > >> >> Once disabled, code download for the application CANNOT be >>> re-enabled. >>> > >> >> - Fixed an issue where custom Admin Console pages did not work >>> for Google >>> > >> >> Apps for your Domain users. >>> > >> >> - Allow Django initialization to be moved to appengine_config.py >>> to avoid >>> > >> >> Django version conflicts when mixing webapp.template with pure >>> Django. >>> > >> >> >>> http://code.google.com/p/googleappengine/issues/detail?id=1758 >>> > >> >> - Fixed an issue in the dev_appserver where get_serving_url did >>> not work >>> > >> >> for transparent, cropped PNGs: >>> > >> >> >>> http://code.google.com/p/googleappengine/issues/detail?id=3887 >>> > >> >> - Fixed an issue with the DatastoreFileStub. >>> > >> >> >>> http://code.google.com/p/googleappengine/issues/detail?id=3895 >>> > >>> > >> >> Java >>> > >> >> --------- >>> > >> >> - The Always On feature allows applications to pay and keep 3 >>> instances of >>> > >> >> their >>> > >> >> application always running, which can significantly reduce >>> application >>> > >> >> latency. >>> > >> >> - Developers can now enable Warmup Requests. By specifying a >>> handler in >>> > >> >> an >>> > >> >> app's appengine-web.xml, App Engine will attempt to to send a >>> Warmup >>> > >> >> Request >>> > >> >> to initialize new instances before a user interacts with it. >>> This can >>> > >> >> reduce >>> > >> >> the latency an end-user sees for initializing your application. >>> > >> >> - The Channel API is now available for all users. >>> > >> >> - Task Queue has been officially released, and is no longer an >>> > >> >> experimental >>> > >> >> feature. The API import paths that use 'labs' have been >>> deprecated. Task >>> > >> >> queue >>> > >> >> storage will count towards an application's overall storage >>> quota, and >>> > >> >> will >>> > >> >> thus be charged for. >>> > >> >> - The deadline for Task Queue and Cron requests has been raised >>> to 10 >>> > >> >> minutes. >>> > >> >> Datastore and API deadlines within those requests remain >>> unchanged. >>> > >> >> - For the Task Queue, developers can specify task >>> retry-parameters in >>> > >> >> their >>> > >> >> queue.xml. >>> > >> >> - Metadata Queries on the datastore for datastore kinds, >>> namespaces, and >>> > >> >> entity >>> > >> >> properties are available. >>> > >> >> - URL Fetch allowed response size has been increased, up to 32 >>> MB. Request >>> > >> >> size >>> > >> >> is still limited to 1 MB. >>> > >> >> - The Admin Console Blacklist page lists the top blacklist >>> rejected >>> > >> >> visitors. >>> > >> >> - The automatic image thumbnailing service supports arbitrary >>> crop sizes >>> > >> >> up to >>> > >> >> 1600px. >>> > >> >> - Overall average instance latency in the Admin Console is now a >>> weighted >>> > >> >> average over QPS per instance. >>> > >> >> - Added a low-level AysncDatastoreService for making calls to the >>> > >> >> datastore >>> > >> >> asynchronously. >>> > >> >> - Added a getBodyAsBytes() method to >>> QueueStateInfo.TaskStateInfo, this >>> > >> >> returns >>> > >> >> the body of the task state as a pure byte-string. >>> > >> >> - The whitelist has been updated to include all classes from >>> > >> >> javax.xml.soap. >>> > >> >> - Fixed an issue sending email to multiple recipients. >>> > >> >> >>> http://code.google.com/p/googleappengine/issues/detail?id=1623 >>> > >>> > >> >> As usual, we value your feedback, so don't hesitate to evaluate >>> these SDKs >>> > >> >> and let us know. Be mindful that the server-side components have >>> not been >>> > >> >> deployed yet, so uploaded code shouldn't work. >>> > >>> > >> >> Happy coding! >>> > >>> > >> >> -- >>> > >> >> Ikai Lan >>> > >> >> Developer Programs Engineer, Google App Engine >>> > >> >> Blogger:http://googleappengine.blogspot.com >>> > >> >> Reddit:http://www.reddit.com/r/appengine >>> > >> >> Twitter:http://twitter.com/app_engine >>> > >>> > >> >> -- >>> > >> >> You received this message because you are subscribed to the >>> Google Groups >>> > >> >> "Google App Engine" group. >>> > >> >> To post to this group, send email to >>> [email protected]. >>> > >> >> To unsubscribe from this group, send email to >>> > >> >> [email protected]<google-appengine%[email protected]> >>> <google-appengine%[email protected]<google-appengine%[email protected]> >>> > >>> > >> >> . >>> > >> >> For more options, visit this group at >>> > >> >>http://groups.google.com/group/google-appengine?hl=en. >>> > >>> > >> > -- >>> > >> > Regards >>> > >> > Sandeep Koduri >>> > >> > cricwaves.com >>> > >>> > >> > -- >>> > >> > You received this message because you are subscribed to the Google >>> Groups >>> > >> > "Google App Engine" group. >>> > >> > To post to this group, send email to >>> [email protected]. >>> > >> > To unsubscribe from this group, send email to >>> > >> > [email protected]<google-appengine%[email protected]> >>> <google-appengine%[email protected]<google-appengine%[email protected]> >>> > >>> > >> > . >>> > >> > For more options, visit this group at >>> > >> >http://groups.google.com/group/google-appengine?hl=en. >>> > >>> > > -- >>> > > You received this message because you are subscribed to the Google >>> Groups "Google App Engine" group. >>> > > To post to this group, send email to >>> [email protected]. >>> > > To unsubscribe from this group, send email to >>> [email protected]<google-appengine%[email protected]> >>> . >>> > > For more options, visit this group athttp:// >>> groups.google.com/group/google-appengine?hl=en. >>> > >>> > >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Google App Engine" group. >>> To post to this group, send email to [email protected]. >>> To unsubscribe from this group, send email to >>> [email protected]<google-appengine%[email protected]> >>> . >>> For more options, visit this group at >>> http://groups.google.com/group/google-appengine?hl=en. >>> >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Google App Engine" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]<google-appengine%[email protected]> >> . >> For more options, visit this group at >> http://groups.google.com/group/google-appengine?hl=en. >> > > > > -- > Regards > Sandeep Koduri > Atok Soft India | Cricfeeds.com > Phone: +91- 99 666 02 456 > Gtalk: sandeep.koduri | Skype: sandeep.koduri > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<google-appengine%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
