Great work Sidnei, thanks for the details! Some comments below: On Tue, Jul 2, 2013 at 7:59 PM, Sidnei da Silva <[email protected]> wrote: > The download service will support Range requests, so resumable downloads > should > be possible to implement on the client side without much effort. [DONE] > [...] > At the moment our plan for authenticated downloads is to use the SSO API for > OAuth validation, which means downloads will require a valid SSO OAuth > token. [DONE]
On the client side, we plan to have pausable/resumable downloads via Range requests in a daemon that manuel is building, but since this daemon has no UI it's tricky for this daemon to have access to fresh OAuth tokens to sign the url on every resume. Due to this we've been discussing the past few days with Ricardo and Natalia to find a way to have the scope process that initiates the downloads use an OAuth signed webservice to fetch a url that would be valid for 24hs, and passing that to the download process. > HTTPS will be required for all requests, both for uploads and downloads. > HTTP > requests will be unconditionally redirected to HTTPS. [DONE] I can clearly understand why we are using HTTPS for private packages, but I don't understand why we can't use it for public packages (I'm assuming that we have some checksum received via HTTPS before downloading from HTTP, or a package signature, to avoid tampering). My naïve thinking is that allowing HTTP for public packages would results in improved download speeds due to ISP and perhaps CDN caching, hopefully freeing bandwidth in our datacenter for private packages, and perhaps some cost savings too. Am I way off? cheers, -- alecu -- Mailing list: https://launchpad.net/~ubuntu-appstore-developers Post to : [email protected] Unsubscribe : https://launchpad.net/~ubuntu-appstore-developers More help : https://help.launchpad.net/ListHelp
