← Back to team overview

ubuntu-appstore-developers team mailing list archive

Re: Scanning packages on upload

 

On Fri, Jul 26, 2013 at 12:46 AM, James Westby
<james.westby@xxxxxxxxxxxxx>wrote:

> Hi,
>
> Now that the skeleton of the server side is in place, Martin has asked
> me to start looking at one of the next topics, scanning click packages
> on upload for automated checks (and probably extracting information so
> the developer doesn't have to enter it).
>
> Already in SCA we have a system to pass off uploaded tarballs for
> automated packaging (pkgme). I think that this could largely be re-used,
> just changing the task that is being run to do click-related tasks.
>
> It works by making an API call to another service on each upload. This
> service retrieves the file, scans it, and then makes a callback request
> with the output. I think it would be pretty straightforward to adapt
> this to work for click packages too.
>
> The main question in my mind is how the scanning would fit in to the
> workflow. For example should the developer upload the file, and then
> wait for the scanning before entering the rest of the information?
> Should the scanning come after and the results be presented to the
> reviewers? Perhaps both for different checks.
>
> Martin has suggested that the first check be that the package name in
> the manifest matches the package name the developer entered in SCA.
>


Even if it's not something we want to do straight away, won't we be aiming
for the developer not needing to enter details that are already included in
the package?

If so, I'd assume we'd want the results of the scan before asking for those
details. We may even be able to structure the workflow so they don't need
to wait.

A few questions/thoughts:
 * Could we eventually move the upload step to the beginning of the
workflow?
 * Can we initiate the scan directly after the async upload finishes - ie
while the dev is still possibly entering other info... if there is other
info?
 * I'm assuming the scan won't take more than 0.5 second, but downloading
the package to the pkgme service will be biggest contributor to latency -
would it be worth using pkgme locally on the updown service you guys
created so that there's no latency there - possibly the results could be
returned with the completion of the upload. A subordinate charm maybe?
 * Not for now, but eventually, could we create a cmd-line interface to the
updown service that uses your login creds to upload your package and then
redirect your browser to the rest of the workflow (ie. the scan data would
already be there).

-Michael

Follow ups

References