Hi Paul,
Thanks for looking at this. The problem with this approach is changes to the web interface will break the tool. We should put the complexity in the server code and make clients trivial. Adding an API to linaro-license-protection that is independent of page rendering wouldn't be difficult (1 day of work - it is mostly copy/paste from the web interface with different templates) to implement something like:
releases.linaro.org/api/path/to/directory = get listing releases.linaro.org/api/path/to/directory/file/license = get license text
If we want some clients to have unrestricted access without going through the license download/accept cycle we could have an API key based authentication mechanism. Keys could be managed in the Django admin interface and only given out to run our own services, such as regression tools. releases.linaro.org/api/path/to/directory/file?api_key=<api key>
If we want anyone who accepts a license to be able to download through the API we could use the same license accept mechanism as the web interface - provide a license hash along with the request to prove you have downloaded the license and indicate that you accept it: releases.linaro.org/api/path/to/directory/file?accept_license=license_md5
I would personally avoid the last option because it would be very tempting to post links that use this API to give people direct access to files. We could easily work around this by salting the license file by appending "Downloaded on <time stamp>" to each download. If the time stamp is accurate to the minute we can just allow hashes for now and last minute.
Once this is in place clients are trivial and sharing links doesn't work for very long.
James
On 22 February 2013 15:56, Paul Sokolovsky paul.sokolovsky@linaro.org wrote:
Hello,
Short background:
- We need to access license-protected files as hosted on
snapshots.linaro.org in automated (or mediated) way as part if our CI workflow. 2. We used to have multiple ways to handle that, mostly adhoc, and most of which have bitrotted by now. 3. There were also concerns of specific means they're implemented (supposedly as not providing due diligence of license acceptance handling comparing to default procedure of browser download).
So, after confirming that we still have more than one client usage for this, I proceeded to implement what is intended to be single tool to handle this matter. The requirements are at: https://bugs.launchpad.net/linaro-license-protection/+bug/1130810 . The tool can be got as:
bzr branch lp:linaro-license-protection/download
or by following "download file" link at http://bazaar.launchpad.net/~linaro-automation/linaro-license-protection/dow...
(unfortunately, Launchpad Bzr browser doesn't seem to have means of getting download link to HEAD revision of a file, which is misfeature).
Please review both requirements collected and implementation, any suggestion for improvements are welcome.
-- Best Regards, Paul
Linaro.org | Open source software for ARM SoCs Follow Linaro: http://www.facebook.com/pages/Linaro http://twitter.com/#%21/linaroorg - http://www.linaro.org/linaro-blog