On Fri, Feb 22, 2013 at 05:08:43PM +0000, James Tunnicliffe wrote: > Hi Paul, > > Thanks for looking at this. The problem with this approach is changes > to the web interface will break the tool. We should put the complexity > in the server code and make clients trivial. Adding an API to > linaro-license-protection that is independent of page rendering > wouldn't be difficult (1 day of work - it is mostly copy/paste from > the web interface with different templates) to implement something > like: > > releases.linaro.org/api/path/to/directory = get listing > releases.linaro.org/api/path/to/directory/file/license = get license text > > If we want some clients to have unrestricted access without going > through the license download/accept cycle we could have an API key > based authentication mechanism. Keys could be managed in the Django > admin interface and only given out to run our own services, such as > regression tools. > releases.linaro.org/api/path/to/directory/file?api_key=<api key> > > If we want anyone who accepts a license to be able to download through > the API we could use the same license accept mechanism as the web > interface - provide a license hash along with the request to prove you > have downloaded the license and indicate that you accept it: > releases.linaro.org/api/path/to/directory/file?accept_license=license_md5 > > I would personally avoid the last option because it would be very > tempting to post links that use this API to give people direct access > to files. We could easily work around this by salting the license file > by appending "Downloaded on <time stamp>" to each download. If the > time stamp is accurate to the minute we can just allow hashes for now > and last minute. > > Once this is in place clients are trivial and sharing links doesn't > work for very long.
You could use HTTP headers instead of GET parameters for transmitting API keys and license acceptance data. Passing custom headers is trivial in headless clients, and impossible to represent in URL's so you don't have this problem with links. -- Antonio Terceiro Software Engineer - Linaro http://www.linaro.org
signature.asc
Description: Digital signature
_______________________________________________ linaro-validation mailing list [email protected] http://lists.linaro.org/mailman/listinfo/linaro-validation
