Adam: good use case. Now that you mention it, I remember a situation in which I've logged in remotely and diff'd deployed code vs. code that I believed was deployed. In the end (as is usually the case in these situations), I realized it was user error from a bad source code merge to a branch.
Administrators of the system *should* still be able to unlock this feature for developers in an emergency, though we may place some safeguards and processes around filing a billing issue (account verification, for instance) to get it undone to minimize the cases where this would happen. -- Ikai Lan Developer Programs Engineer, Google App Engine Blogger: http://googleappengine.blogspot.com Reddit: http://www.reddit.com/r/appengine Twitter: http://twitter.com/app_engine On Thu, Nov 25, 2010 at 11:57 AM, Adam Sah <[email protected]> wrote: > +1 - I saw this design and immediately saw the tradeoffs-- hats off. > > FYI even seasoned ops people occasionally need to "prove" that what's > in prod is actually what's in dev. As a real example, consider > bugs/ > changes in your push scripts (in the case of GAE, wrappers for > appcfg) > > It's like root on regular systems-- in theory you never need it, in > practice > every ops team has somebody who can login and once a quarter, they > use it. > > thanks!!! > adam > 'graduate' of google eng, invented Gadgets > > On Nov 24, 3:51 pm, "Ikai Lan (Google)" > <[email protected]<ikai.l%[email protected]> > > > wrote: > > Trust me, we thought out all the scenarios. Here are the scenarios: > > > > 1. Just enable it in app.yaml > > - completely useless from a security perspective, an attacker would just > > enable it, download code, upload malicious code and steal data/compromise > > users' data over time > > > > 2. Make it opt-in, so you can't download the code unless there's a > version > > of app.yaml that has this enabled uploaded > > So an attacker can't download previous versions, but the problem here is: > > who would use this feature? The type of folks that want code download are > > unlikely to have known about this feature prior to uploading an app > version. > > > > 3. Just enable it, allow disabling in app.yaml and don't allow versions > > uploaded before 1.4.0 going live to be downloaded > > Same problems - users that ask for this feature won't benefit. > > > > 4. One way disable button > > Seems to be the best compromise for all worlds. People that don't needs > this > > feature will just turn it off once and never, ever worry about it again. > > Developers that need this feature (generally seem like neophyte > developers > > who are still learning about backups and source control) won't know to > turn > > it off, and when they lose their code, they'll be relieved they can > download > > their code. > > > > In general we do NOT recommend this feature as a replacement for: > > > > 1. Backups > > 2. Source control > > > > A lot of folks come to App Engine because they're learning how to > program, > > and they're not aware of source control or have "always back up your > stuff" > > hammered in yet. See this blog post: > > > > http://www.7bks.com/blog/179001 > > > > I'm going to be pretty adamant about not using this feature as a > replacement > > for source control or backups in the groups, but I'm open to hearing > about > > other reasons developers want this feature and why a permanent opt-out > > button is a bad idea. > > > > -- > > Ikai Lan > > Developer Programs Engineer, Google App Engine > > Blogger:http://googleappengine.blogspot.com > > Reddit:http://www.reddit.com/r/appengine > > Twitter:http://twitter.com/app_engine > > > > On Wed, Nov 24, 2010 at 12:26 PM, Thomas Johansson > > <[email protected]>wrote:> > If the guy uploading enables downloads to be malicious, he could > > > equally just post up the code somewhere. > > > > > That being said, I hadn't thought about the case of accidentally re- > > > enabling and then having the account compromised. Even still, not > > > being able to ever turn it back on seems short sighted. Perhaps a way > > > to enable it similar to how disabling an app works, so it can't be > > > done maliciously. > > > > > On Nov 24, 6:07 pm, Barry Hunter <[email protected]> wrote: > > > > Being a one time nuke, means its not possible to for a developer to > > > > accidentally (or maliciously) re enable downloads :) > > > > > > One of the main objections to 'download' is it makes it easier for > > > > someone who shouldnt get their hands on the source code. Yes the fact > > > > only the uploading developer gets it, makes it more secure, but not > > > > totally. Being able to turn off downloads, is another serious barrier > > > > to the 'thief'. Someone who as invested IP in their code, wants to be > > > > able to do everything possible to protect that. > > > > > > On 24 November 2010 16:25, Thomas Johansson <[email protected]> > wrote: > > > > > > > Why was the decision made to make this an app-wide one time only > nuke > > > > > button? > > > > > > > I think enabling/disabling it in app.yaml per-upload would be much > > > > > more useful. > > > > > > > On Nov 23, 8:30 pm, "Ikai Lan (Google)" > > > > > <[email protected]<ikai.l%[email protected]> > <ikai.l%[email protected] <ikai.l%[email protected]>> > > > > > > > wrote: > > > > >> You'll be able to download code, but anyone that wants to turn it > off > > > will > > > > >> be able to go to their admin dashboard and push a one-way, > > > irreversible > > > > >> button to disallow this feature. > > > > > > >> Please do not depend on this feature to do source control. > > > > > > >> -- > > > > >> Ikai Lan > > > > >> Developer Programs Engineer, Google App Engine > > > > >> Blogger:http://googleappengine.blogspot.com > > > > >> Reddit:http://www.reddit.com/r/appengine > > > > >> Twitter:http://twitter.com/app_engine > > > > > > >> On Tue, Nov 23, 2010 at 11:12 AM, Sandeep Koduri > > > > >> <[email protected]>wrote: > > > > > > >> > Hello ikai, > > > > > > >> > Thanks and congrats for the great release. > > > > > > >> > Will there be an option for source code download control in > > > app.yaml. > > > > >> > according to the mail thread in pre-release of 1.3.8 we thought > this > > > will > > > > >> > be implemented, and that would be very helpful. > > > > > > >> > the feature announced now will be a very good add-on but, by > default > > > if the > > > > >> > config is to be on app.yaml. > > > > >> > Will there be any option for the creator of the app to get any > > > versions > > > > >> > source code. > > > > > > >> > We have some use cases relying on this option. so please make a > > > reply about > > > > >> > this, accordingly we can streamline the development process at > our > > > team, > > > > > > >> > Thanks > > > > > > >> > On Fri, Nov 19, 2010 at 3:57 AM, Ikai Lan (Google) < > > > > >> > [email protected] <ikai.l%[email protected]> < > ikai.l%[email protected] <ikai.l%[email protected]>> < > > > ikai.l%[email protected] <ikai.l%[email protected]> < > ikai.l%[email protected] <ikai.l%[email protected]>>>> wrote: > > > > > > >> >> Hey everyone, > > > > > > >> >> I just wanted to let everyone know that prerelease SDK 1.4.0 is > > > out! Get > > > > >> >> it from the Google Code project: > > > > > > >> >>http://code.google.com/p/googleappengine/downloads/list > > > > > > >> >> We're still working on the docs and will have them ready for > the > > > final > > > > >> >> release, so if there are any questions about how to use the new > > > features, > > > > >> >> feel free to ask on this thread and I'll do my best to clarify > > > them. The > > > > >> >> release notes are below. This is an EXCITING release: > > > > > > >> >> Python > > > > >> >> ------------ > > > > >> >> - The Always On feature allows applications to pay and keep 3 > > > instances of > > > > >> >> their > > > > >> >> application always running, which can significantly reduce > > > application > > > > >> >> latency. > > > > >> >> - Developers can now enable Warmup Requests. By specifying a > > > handler in > > > > >> >> an > > > > >> >> app's app.yaml, App Engine will attempt to to send a Warmup > > > Request to > > > > >> >> initialize new instances before a user interacts with it. > This > > > can > > > > >> >> reduce the > > > > >> >> latency an end-user sees for initializing your application. > > > > >> >> - The Channel API is now available for all users. > > > > >> >> - Task Queue has been officially released, and is no longer an > > > > >> >> experimental > > > > >> >> feature. The API import paths that use 'labs' have been > > > deprecated. Task > > > > >> >> queue > > > > >> >> storage will count towards an application's overall storage > > > quota, and > > > > >> >> will > > > > >> >> thus be charged for. > > > > >> >> - The deadline for Task Queue and Cron requests has been raised > to > > > 10 > > > > >> >> minutes. > > > > >> >> Datastore and API deadlines within those requests remain > > > unchanged. > > > > >> >> - For the Task Queue, developers can specify task > retry_parameters > > > in > > > > >> >> their > > > > >> >> queue.yaml. > > > > >> >> - Metadata Queries on the datastore for datastore kinds, > > > namespaces, and > > > > >> >> entity > > > > >> >> properties are available. > > > > >> >> - URLFetch allowed response size has been increased, up to 32 > MB. > > > Request > > > > >> >> size > > > > >> >> is still limited to 1 MB. > > > > >> >> - The Admin Console Blacklist page lists the top blacklist > rejected > > > > >> >> visitors. > > > > >> >> - The automatic image thumbnailing service supports arbitrary > crop > > > sizes > > > > >> >> up to > > > > >> >> 1600px. > > > > >> >> - Overall average instance latency in the Admin Console is now > a > > > weighted > > > > >> >> average over QPS per instance. > > > > >> >> - The developer who uploaded an app version can download that > > > version's > > > > >> >> code > > > > >> >> using the appcfg.py download_app command. This feature can be > > > disabled > > > > >> >> on > > > > >> >> a per application basis in the admin console, under the > > > 'Permissions' > > > > >> >> tab. > > > > >> >> Once disabled, code download for the application CANNOT be > > > re-enabled. > > > > >> >> - Fixed an issue where custom Admin Console pages did not work > for > > > Google > > > > >> >> Apps for your Domain users. > > > > >> >> - Allow Django initialization to be moved to > appengine_config.py to > > > avoid > > > > >> >> Django version conflicts when mixing webapp.template with > pure > > > Django. > > > > >> >> > http://code.google.com/p/googleappengine/issues/detail?id=1758 > > > > >> >> - Fixed an issue in the dev_appserver where get_serving_url did > not > > > work > > > > >> >> for transparent, cropped PNGs: > > > > >> >> > http://code.google.com/p/googleappengine/issues/detail?id=3887 > > > > >> >> - Fixed an issue with the DatastoreFileStub. > > > > >> >> > http://code.google.com/p/googleappengine/issues/detail?id=3895 > > > > > > >> >> Java > > > > >> >> --------- > > > > >> >> - The Always On feature allows applications to pay and keep 3 > > > instances of > > > > >> >> their > > > > >> >> application always running, which can significantly reduce > > > application > > > > >> >> latency. > > > > >> >> - Developers can now enable Warmup Requests. By specifying a > > > handler in > > > > >> >> an > > > > >> >> app's appengine-web.xml, App Engine will attempt to to send a > > > Warmup > > > > >> >> Request > > > > >> >> to initialize new instances before a user interacts with it. > This > > > can > > > > >> >> reduce > > > > >> >> the latency an end-user sees for initializing your > application. > > > > >> >> - The Channel API is now available for all users. > > > > >> >> - Task Queue has been officially released, and is no longer an > > > > >> >> experimental > > > > >> >> feature. The API import paths that use 'labs' have been > > > deprecated. Task > > > > >> >> queue > > > > >> >> storage will count towards an application's overall storage > > > quota, and > > > > >> >> will > > > > >> >> thus be charged for. > > > > >> >> - The deadline for Task Queue and Cron requests has been raised > to > > > 10 > > > > >> >> minutes. > > > > >> >> Datastore and API deadlines within those requests remain > > > unchanged. > > > > >> >> - For the Task Queue, developers can specify task > retry-parameters > > > in > > > > >> >> their > > > > >> >> queue.xml. > > > > >> >> - Metadata Queries on the datastore for datastore kinds, > > > namespaces, and > > > > >> >> entity > > > > >> >> properties are available. > > > > >> >> - URL Fetch allowed response size has been increased, up to 32 > MB. > > > Request > > > > >> >> size > > > > >> >> is still limited to 1 MB. > > > > >> >> - The Admin Console Blacklist page lists the top blacklist > rejected > > > > >> >> visitors. > > > > >> >> - The automatic image thumbnailing service supports arbitrary > crop > > > sizes > > > > >> >> up to > > > > >> >> 1600px. > > > > >> >> - Overall average instance latency in the Admin Console is now > a > > > weighted > > > > >> >> average over QPS per instance. > > > > >> >> - Added a low-level AysncDatastoreService for making calls to > the > > > > >> >> datastore > > > > >> >> asynchronously. > > > > >> >> - Added a getBodyAsBytes() method to > QueueStateInfo.TaskStateInfo, > > > this > > > > >> >> returns > > > > >> >> the body of the task state as a pure byte-string. > > > > >> >> - The whitelist has been updated to include all classes from > > > > >> >> javax.xml.soap. > > > > >> >> - Fixed an issue sending email to multiple recipients. > > > > >> >> > http://code.google.com/p/googleappengine/issues/detail?id=1623 > > > > > > >> >> As usual, we value your feedback, so don't hesitate to evaluate > > > these SDKs > > > > >> >> and let us know. Be mindful that the server-side components > have > > > not been > > > > >> >> deployed yet, so uploaded code shouldn't work. > > > > > > >> >> Happy coding! > > > > > > >> >> -- > > > > >> >> Ikai Lan > > > > >> >> Developer Programs Engineer, Google App Engine > > > > >> >> Blogger:http://googleappengine.blogspot.com > > > > >> >> Reddit:http://www.reddit.com/r/appengine > > > > >> >> Twitter:http://twitter.com/app_engine > > > > > > >> >> -- > > > > >> >> You received this message because you are subscribed to the > Google > > > Groups > > > > >> >> "Google App Engine" group. > > > > >> >> To post to this group, send email to > > > [email protected]. > > > > >> >> To unsubscribe from this group, send email to > > > > >> >> [email protected]<google-appengine%[email protected]><google-appengine%2Bunsubscrib > [email protected]> > > > <google-appengine%[email protected]<google-appengine%[email protected]><google-appengine%252Bunsub > [email protected]> > > > > > > >> >> . > > > > >> >> For more options, visit this group at > > > > >> >>http://groups.google.com/group/google-appengine?hl=en. > > > > > > >> > -- > > > > >> > Regards > > > > >> > Sandeep Koduri > > > > >> > cricwaves.com > > > > > > >> > -- > > > > >> > You received this message because you are subscribed to the > Google > > > Groups > > > > >> > "Google App Engine" group. > > > > >> > To post to this group, send email to > > > [email protected]. > > > > >> > To unsubscribe from this group, send email to > > > > >> > [email protected]<google-appengine%[email protected]><google-appengine%2Bunsubscrib > [email protected]> > > > <google-appengine%[email protected]<google-appengine%[email protected]><google-appengine%252Bunsub > [email protected]> > > > > > > >> > . > > > > >> > For more options, visit this group at > > > > >> >http://groups.google.com/group/google-appengine?hl=en. > > > > > > > -- > > > > > You received this message because you are subscribed to the Google > > > Groups "Google App Engine" group. > > > > > To post to this group, send email to > [email protected] > > > . > > > > > To unsubscribe from this group, send email to > > > [email protected]<google-appengine%[email protected]><google-appengine%2Bunsubscrib > [email protected]> > > > . > > > > > For more options, visit this group athttp:// > > > groups.google.com/group/google-appengine?hl=en. > > > > > -- > > > You received this message because you are subscribed to the Google > Groups > > > "Google App Engine" group. > > > To post to this group, send email to [email protected] > . > > > To unsubscribe from this group, send email to > > > [email protected]<google-appengine%[email protected]><google-appengine%2Bunsubscrib > [email protected]> > > > . > > > For more options, visit this group at > > >http://groups.google.com/group/google-appengine?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<google-appengine%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
