On 25 February 2013 13:35, Antonio Terceiro <[email protected]> wrote: > On Fri, Feb 22, 2013 at 05:08:43PM +0000, James Tunnicliffe wrote: >> Hi Paul, >> >> Thanks for looking at this. The problem with this approach is changes >> to the web interface will break the tool. We should put the complexity >> in the server code and make clients trivial. Adding an API to >> linaro-license-protection that is independent of page rendering >> wouldn't be difficult (1 day of work - it is mostly copy/paste from >> the web interface with different templates) to implement something >> like: >> >> releases.linaro.org/api/path/to/directory = get listing >> releases.linaro.org/api/path/to/directory/file/license = get license text >> >> If we want some clients to have unrestricted access without going >> through the license download/accept cycle we could have an API key >> based authentication mechanism. Keys could be managed in the Django >> admin interface and only given out to run our own services, such as >> regression tools. >> releases.linaro.org/api/path/to/directory/file?api_key=<api key> >> >> If we want anyone who accepts a license to be able to download through >> the API we could use the same license accept mechanism as the web >> interface - provide a license hash along with the request to prove you >> have downloaded the license and indicate that you accept it: >> releases.linaro.org/api/path/to/directory/file?accept_license=license_md5 >> >> I would personally avoid the last option because it would be very >> tempting to post links that use this API to give people direct access >> to files. We could easily work around this by salting the license file >> by appending "Downloaded on <time stamp>" to each download. If the >> time stamp is accurate to the minute we can just allow hashes for now >> and last minute. >> >> Once this is in place clients are trivial and sharing links doesn't >> work for very long. > > You could use HTTP headers instead of GET parameters for transmitting > API keys and license acceptance data. Passing custom headers is trivial > in headless clients, and impossible to represent in URL's so you don't > have this problem with links.
Excellent point. That would be a far less complicated workaround. -- James Tunnicliffe _______________________________________________ linaro-validation mailing list [email protected] http://lists.linaro.org/mailman/listinfo/linaro-validation
