On Fri, Feb 22, 2013 at 05:08:43PM +0000, James Tunnicliffe wrote:
Hi Paul,
Thanks for looking at this. The problem with this approach is changes to the web interface will break the tool. We should put the complexity in the server code and make clients trivial. Adding an API to linaro-license-protection that is independent of page rendering wouldn't be difficult (1 day of work - it is mostly copy/paste from the web interface with different templates) to implement something like:
releases.linaro.org/api/path/to/directory = get listing releases.linaro.org/api/path/to/directory/file/license = get license text
If we want some clients to have unrestricted access without going through the license download/accept cycle we could have an API key based authentication mechanism. Keys could be managed in the Django admin interface and only given out to run our own services, such as regression tools. releases.linaro.org/api/path/to/directory/file?api_key=<api key>
If we want anyone who accepts a license to be able to download through the API we could use the same license accept mechanism as the web interface - provide a license hash along with the request to prove you have downloaded the license and indicate that you accept it: releases.linaro.org/api/path/to/directory/file?accept_license=license_md5
I would personally avoid the last option because it would be very tempting to post links that use this API to give people direct access to files. We could easily work around this by salting the license file by appending "Downloaded on <time stamp>" to each download. If the time stamp is accurate to the minute we can just allow hashes for now and last minute.
Once this is in place clients are trivial and sharing links doesn't work for very long.
You could use HTTP headers instead of GET parameters for transmitting API keys and license acceptance data. Passing custom headers is trivial in headless clients, and impossible to represent in URL's so you don't have this problem with links.