+1 - I saw this design and immediately saw the tradeoffs-- hats off. FYI even seasoned ops people occasionally need to "prove" that what's in prod is actually what's in dev. As a real example, consider bugs/ changes in your push scripts (in the case of GAE, wrappers for appcfg)
It's like root on regular systems-- in theory you never need it, in practice every ops team has somebody who can login and once a quarter, they use it. thanks!!! adam 'graduate' of google eng, invented Gadgets On Nov 24, 3:51 pm, "Ikai Lan (Google)" <[email protected]> wrote: > Trust me, we thought out all the scenarios. Here are the scenarios: > > 1. Just enable it in app.yaml > - completely useless from a security perspective, an attacker would just > enable it, download code, upload malicious code and steal data/compromise > users' data over time > > 2. Make it opt-in, so you can't download the code unless there's a version > of app.yaml that has this enabled uploaded > So an attacker can't download previous versions, but the problem here is: > who would use this feature? The type of folks that want code download are > unlikely to have known about this feature prior to uploading an app version. > > 3. Just enable it, allow disabling in app.yaml and don't allow versions > uploaded before 1.4.0 going live to be downloaded > Same problems - users that ask for this feature won't benefit. > > 4. One way disable button > Seems to be the best compromise for all worlds. People that don't needs this > feature will just turn it off once and never, ever worry about it again. > Developers that need this feature (generally seem like neophyte developers > who are still learning about backups and source control) won't know to turn > it off, and when they lose their code, they'll be relieved they can download > their code. > > In general we do NOT recommend this feature as a replacement for: > > 1. Backups > 2. Source control > > A lot of folks come to App Engine because they're learning how to program, > and they're not aware of source control or have "always back up your stuff" > hammered in yet. See this blog post: > > http://www.7bks.com/blog/179001 > > I'm going to be pretty adamant about not using this feature as a replacement > for source control or backups in the groups, but I'm open to hearing about > other reasons developers want this feature and why a permanent opt-out > button is a bad idea. > > -- > Ikai Lan > Developer Programs Engineer, Google App Engine > Blogger:http://googleappengine.blogspot.com > Reddit:http://www.reddit.com/r/appengine > Twitter:http://twitter.com/app_engine > > On Wed, Nov 24, 2010 at 12:26 PM, Thomas Johansson > <[email protected]>wrote:> If the guy uploading enables downloads to be > malicious, he could > > equally just post up the code somewhere. > > > That being said, I hadn't thought about the case of accidentally re- > > enabling and then having the account compromised. Even still, not > > being able to ever turn it back on seems short sighted. Perhaps a way > > to enable it similar to how disabling an app works, so it can't be > > done maliciously. > > > On Nov 24, 6:07 pm, Barry Hunter <[email protected]> wrote: > > > Being a one time nuke, means its not possible to for a developer to > > > accidentally (or maliciously) re enable downloads :) > > > > One of the main objections to 'download' is it makes it easier for > > > someone who shouldnt get their hands on the source code. Yes the fact > > > only the uploading developer gets it, makes it more secure, but not > > > totally. Being able to turn off downloads, is another serious barrier > > > to the 'thief'. Someone who as invested IP in their code, wants to be > > > able to do everything possible to protect that. > > > > On 24 November 2010 16:25, Thomas Johansson <[email protected]> wrote: > > > > > Why was the decision made to make this an app-wide one time only nuke > > > > button? > > > > > I think enabling/disabling it in app.yaml per-upload would be much > > > > more useful. > > > > > On Nov 23, 8:30 pm, "Ikai Lan (Google)" > > > > <[email protected]<ikai.l%[email protected]> > > > > > wrote: > > > >> You'll be able to download code, but anyone that wants to turn it off > > will > > > >> be able to go to their admin dashboard and push a one-way, > > irreversible > > > >> button to disallow this feature. > > > > >> Please do not depend on this feature to do source control. > > > > >> -- > > > >> Ikai Lan > > > >> Developer Programs Engineer, Google App Engine > > > >> Blogger:http://googleappengine.blogspot.com > > > >> Reddit:http://www.reddit.com/r/appengine > > > >> Twitter:http://twitter.com/app_engine > > > > >> On Tue, Nov 23, 2010 at 11:12 AM, Sandeep Koduri > > > >> <[email protected]>wrote: > > > > >> > Hello ikai, > > > > >> > Thanks and congrats for the great release. > > > > >> > Will there be an option for source code download control in > > app.yaml. > > > >> > according to the mail thread in pre-release of 1.3.8 we thought this > > will > > > >> > be implemented, and that would be very helpful. > > > > >> > the feature announced now will be a very good add-on but, by default > > if the > > > >> > config is to be on app.yaml. > > > >> > Will there be any option for the creator of the app to get any > > versions > > > >> > source code. > > > > >> > We have some use cases relying on this option. so please make a > > reply about > > > >> > this, accordingly we can streamline the development process at our > > team, > > > > >> > Thanks > > > > >> > On Fri, Nov 19, 2010 at 3:57 AM, Ikai Lan (Google) < > > > >> > [email protected] <ikai.l%[email protected]> < > > ikai.l%[email protected] <ikai.l%[email protected]>>> wrote: > > > > >> >> Hey everyone, > > > > >> >> I just wanted to let everyone know that prerelease SDK 1.4.0 is > > out! Get > > > >> >> it from the Google Code project: > > > > >> >>http://code.google.com/p/googleappengine/downloads/list > > > > >> >> We're still working on the docs and will have them ready for the > > final > > > >> >> release, so if there are any questions about how to use the new > > features, > > > >> >> feel free to ask on this thread and I'll do my best to clarify > > them. The > > > >> >> release notes are below. This is an EXCITING release: > > > > >> >> Python > > > >> >> ------------ > > > >> >> - The Always On feature allows applications to pay and keep 3 > > instances of > > > >> >> their > > > >> >> application always running, which can significantly reduce > > application > > > >> >> latency. > > > >> >> - Developers can now enable Warmup Requests. By specifying a > > handler in > > > >> >> an > > > >> >> app's app.yaml, App Engine will attempt to to send a Warmup > > Request to > > > >> >> initialize new instances before a user interacts with it. This > > can > > > >> >> reduce the > > > >> >> latency an end-user sees for initializing your application. > > > >> >> - The Channel API is now available for all users. > > > >> >> - Task Queue has been officially released, and is no longer an > > > >> >> experimental > > > >> >> feature. The API import paths that use 'labs' have been > > deprecated. Task > > > >> >> queue > > > >> >> storage will count towards an application's overall storage > > quota, and > > > >> >> will > > > >> >> thus be charged for. > > > >> >> - The deadline for Task Queue and Cron requests has been raised to > > 10 > > > >> >> minutes. > > > >> >> Datastore and API deadlines within those requests remain > > unchanged. > > > >> >> - For the Task Queue, developers can specify task retry_parameters > > in > > > >> >> their > > > >> >> queue.yaml. > > > >> >> - Metadata Queries on the datastore for datastore kinds, > > namespaces, and > > > >> >> entity > > > >> >> properties are available. > > > >> >> - URLFetch allowed response size has been increased, up to 32 MB. > > Request > > > >> >> size > > > >> >> is still limited to 1 MB. > > > >> >> - The Admin Console Blacklist page lists the top blacklist rejected > > > >> >> visitors. > > > >> >> - The automatic image thumbnailing service supports arbitrary crop > > sizes > > > >> >> up to > > > >> >> 1600px. > > > >> >> - Overall average instance latency in the Admin Console is now a > > weighted > > > >> >> average over QPS per instance. > > > >> >> - The developer who uploaded an app version can download that > > version's > > > >> >> code > > > >> >> using the appcfg.py download_app command. This feature can be > > disabled > > > >> >> on > > > >> >> a per application basis in the admin console, under the > > 'Permissions' > > > >> >> tab. > > > >> >> Once disabled, code download for the application CANNOT be > > re-enabled. > > > >> >> - Fixed an issue where custom Admin Console pages did not work for > > Google > > > >> >> Apps for your Domain users. > > > >> >> - Allow Django initialization to be moved to appengine_config.py to > > avoid > > > >> >> Django version conflicts when mixing webapp.template with pure > > Django. > > > >> >> http://code.google.com/p/googleappengine/issues/detail?id=1758 > > > >> >> - Fixed an issue in the dev_appserver where get_serving_url did not > > work > > > >> >> for transparent, cropped PNGs: > > > >> >> http://code.google.com/p/googleappengine/issues/detail?id=3887 > > > >> >> - Fixed an issue with the DatastoreFileStub. > > > >> >> http://code.google.com/p/googleappengine/issues/detail?id=3895 > > > > >> >> Java > > > >> >> --------- > > > >> >> - The Always On feature allows applications to pay and keep 3 > > instances of > > > >> >> their > > > >> >> application always running, which can significantly reduce > > application > > > >> >> latency. > > > >> >> - Developers can now enable Warmup Requests. By specifying a > > handler in > > > >> >> an > > > >> >> app's appengine-web.xml, App Engine will attempt to to send a > > Warmup > > > >> >> Request > > > >> >> to initialize new instances before a user interacts with it. This > > can > > > >> >> reduce > > > >> >> the latency an end-user sees for initializing your application. > > > >> >> - The Channel API is now available for all users. > > > >> >> - Task Queue has been officially released, and is no longer an > > > >> >> experimental > > > >> >> feature. The API import paths that use 'labs' have been > > deprecated. Task > > > >> >> queue > > > >> >> storage will count towards an application's overall storage > > quota, and > > > >> >> will > > > >> >> thus be charged for. > > > >> >> - The deadline for Task Queue and Cron requests has been raised to > > 10 > > > >> >> minutes. > > > >> >> Datastore and API deadlines within those requests remain > > unchanged. > > > >> >> - For the Task Queue, developers can specify task retry-parameters > > in > > > >> >> their > > > >> >> queue.xml. > > > >> >> - Metadata Queries on the datastore for datastore kinds, > > namespaces, and > > > >> >> entity > > > >> >> properties are available. > > > >> >> - URL Fetch allowed response size has been increased, up to 32 MB. > > Request > > > >> >> size > > > >> >> is still limited to 1 MB. > > > >> >> - The Admin Console Blacklist page lists the top blacklist rejected > > > >> >> visitors. > > > >> >> - The automatic image thumbnailing service supports arbitrary crop > > sizes > > > >> >> up to > > > >> >> 1600px. > > > >> >> - Overall average instance latency in the Admin Console is now a > > weighted > > > >> >> average over QPS per instance. > > > >> >> - Added a low-level AysncDatastoreService for making calls to the > > > >> >> datastore > > > >> >> asynchronously. > > > >> >> - Added a getBodyAsBytes() method to QueueStateInfo.TaskStateInfo, > > this > > > >> >> returns > > > >> >> the body of the task state as a pure byte-string. > > > >> >> - The whitelist has been updated to include all classes from > > > >> >> javax.xml.soap. > > > >> >> - Fixed an issue sending email to multiple recipients. > > > >> >> http://code.google.com/p/googleappengine/issues/detail?id=1623 > > > > >> >> As usual, we value your feedback, so don't hesitate to evaluate > > these SDKs > > > >> >> and let us know. Be mindful that the server-side components have > > not been > > > >> >> deployed yet, so uploaded code shouldn't work. > > > > >> >> Happy coding! > > > > >> >> -- > > > >> >> Ikai Lan > > > >> >> Developer Programs Engineer, Google App Engine > > > >> >> Blogger:http://googleappengine.blogspot.com > > > >> >> Reddit:http://www.reddit.com/r/appengine > > > >> >> Twitter:http://twitter.com/app_engine > > > > >> >> -- > > > >> >> You received this message because you are subscribed to the Google > > Groups > > > >> >> "Google App Engine" group. > > > >> >> To post to this group, send email to > > [email protected]. > > > >> >> To unsubscribe from this group, send email to > > > >> >> [email protected]<google-appengine%2Bunsubscrib > > > >> >> [email protected]> > > <google-appengine%[email protected]<google-appengine%252Bunsub > > [email protected]> > > > > >> >> . > > > >> >> For more options, visit this group at > > > >> >>http://groups.google.com/group/google-appengine?hl=en. > > > > >> > -- > > > >> > Regards > > > >> > Sandeep Koduri > > > >> > cricwaves.com > > > > >> > -- > > > >> > You received this message because you are subscribed to the Google > > Groups > > > >> > "Google App Engine" group. > > > >> > To post to this group, send email to > > [email protected]. > > > >> > To unsubscribe from this group, send email to > > > >> > [email protected]<google-appengine%2Bunsubscrib > > > >> > [email protected]> > > <google-appengine%[email protected]<google-appengine%252Bunsub > > [email protected]> > > > > >> > . > > > >> > For more options, visit this group at > > > >> >http://groups.google.com/group/google-appengine?hl=en. > > > > > -- > > > > You received this message because you are subscribed to the Google > > Groups "Google App Engine" group. > > > > To post to this group, send email to [email protected] > > . > > > > To unsubscribe from this group, send email to > > [email protected]<google-appengine%2Bunsubscrib > > [email protected]> > > . > > > > For more options, visit this group athttp:// > > groups.google.com/group/google-appengine?hl=en. > > > -- > > You received this message because you are subscribed to the Google Groups > > "Google App Engine" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > > [email protected]<google-appengine%2Bunsubscrib > > [email protected]> > > . > > For more options, visit this group at > >http://groups.google.com/group/google-appengine?hl=en. -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
