ubuntu-appstore-developers team mailing list archive

["Alejandro J. Cura" <alejandro.cura@xxxxxxxxxxxxx>]

Great work Sidnei, thanks for the details!

Some comments below:
On Tue, Jul 2, 2013 at 7:59 PM, Sidnei da Silva
<sidnei.da.silva@xxxxxxxxxxxxx> wrote:
> The download service will support Range requests, so resumable downloads
> should
> be possible to implement on the client side without much effort. [DONE]
> [...]
> At the moment our plan for authenticated downloads is to use the SSO API for
> OAuth validation, which means downloads will require a valid SSO OAuth
> token. [DONE]

On the client side, we plan to have pausable/resumable downloads via
Range requests in a daemon that manuel is building, but since this
daemon has no UI it's tricky for this daemon to have access to fresh
OAuth tokens to sign the url on every resume.

Due to this we've been discussing the past few days with Ricardo and
Natalia to find a way to have the scope process that initiates the
downloads use an OAuth signed webservice to fetch a url that would be
valid for 24hs, and passing that to the download process.

> HTTPS will be required for all requests, both for uploads and downloads.
> HTTP
> requests will be unconditionally redirected to HTTPS. [DONE]

I can clearly understand why we are using HTTPS for private packages,
but I don't understand why we can't use it for public packages (I'm
assuming that we have some checksum received via HTTPS before
downloading from HTTP, or a package signature, to avoid tampering).

My naïve thinking is that allowing HTTP for public packages would
results in improved download speeds due to ISP and perhaps CDN
caching, hopefully freeing bandwidth in our datacenter for private
packages, and perhaps some cost savings too. Am I way off?

cheers,
--
alecu