Clipperz on Google App Engine

[JoelR]

I'm playing around with Clipperz and have managed to get it running on
the Google App Engine (with help from Giulio).
I'm using the 1251 build and a clipperz.py that Giulio provided.

I only had to make a few changes to get it working. One was a GAE
transactional problem.
I had to update the build to use the JSON proxy manager and add a
global to the index template file to support that.

The biggest issue was the size of the index.html file (since
everything is put into one file).
I ended up making two files. One with the main clipperz js and
another with the supporting gui files which I'm calling gui.js.
So added one additional script tag in the index template to load the
gui.js.

Since I'm only starting to use clipperz I'm not even close to being
aware of all it can do and I doubt that what I have running on GAE is
as stable as the official version. But I want to be able to prove to
myself that I can always get to my passwords (call me crazy).

So the only thing I've tested on the GAE install is basic account
creation and a couple of cards.
I don't know how the bookmarklet stuff works yet so I've no idea if
that works.

(And I'm not suggesting that the way I put this together is the
'right' way.)

Now I need to learn more about what I can do with clipperz and see if
I can come up with ideas for it.

One question. What's the benefit of putting everything into one
file? Avoiding lots of downloads for the supporting js I understand,
but browsers cache well these days and it should be easy to setup
proper expirations on those js files that don't change much.
And not to suggest that I know what I'm talking about, but what about
Dojo these days? I'm just starting to learn it... It's under active
development with a large community, seems efficient, is current, etc.
(Obviously a re-write of Clipperz GUI is not a high priority.)

Comments? Questions? What's the point? I've been waiting for
this!? Whatever, I'm interested.

Cheers,
Joel

ps. I 'bout forgot. You can get to the GAE version here:
https://vgrok.appspot.com/
Ignore the 'vgrok', it's something I was playing around with a while
back.
Furthermore GAE support for https is currently restricted to the
appspot.com domain (where all the GAE apps are hosted).

[Giulio Cesare Solaroli]

Hello Joel,

nice to see you have done some progress with the experimental porting
to App Engine.

On Sat, Nov 1, 2008 at 5:11 PM, JoelR <joel.r...@gmail.com> wrote:
>
> I'm playing around with Clipperz and have managed to get it running on
> the Google App Engine (with help from Giulio).
> I'm using the 1251 build and a clipperz.py that Giulio provided.

At this point there is no problem at all, but please be aware that the
code downloaded from the 1251 has a different license from the code of
the App Engine version we released and that of the Community Edition.

We have just released a couple of updates to the online application
and we are going to update also the Community Edition code very soon.

We are aware that we are not including all the required tools in all
the different packages that we offer, so no body will complain right
now.

If you could help us integrating all your changes (included the
building tools required) into the community edition, we would be very
pleased.

And this would also solve the licensing issue, as it would be later
possible to use all the AGPL licensed code.

> [...]

> One question. What's the benefit of putting everything into one
> file? Avoiding lots of downloads for the supporting js I understand,
> but browsers cache well these days and it should be easy to setup
> proper expirations on those js files that don't change much.

The full answer is here:
- http://www.clipperz.com/reviewing_the_code/checksums

Basically, you would like to have an option to check that the
application that you are going to use is safe. In order to do this,
the best option that we have found so far is to pack everything
together in order to be able to perform some sort of integrity check.

For example, I always use this url to access Clipperz:
- http://www.clipperz.com/integrityCheck.php?md5=e4e1d179f96176c731db315d6b53d0b1

This script is actually running on the same server where the
application is running, so it is not a great improvements, but we have
provided the script
(http://groups.google.com/group/clipperz/browse_thread/thread/22c7cff41adf9b3a)
and anybody can run it on their own.

This is still not 100% safe, but it the closest arrangement we have
found so far.

> And not to suggest that I know what I'm talking about, but what about
> Dojo these days? I'm just starting to learn it... It's under active
> development with a large community, seems efficient, is current, etc.
> (Obviously a re-write of Clipperz GUI is not a high priority.)

Dojo, last time that I checked, was downloading the widgets templates on demand.
Given the constraint I listed above, I hope you agree with me that it
was not an option. :-)

> [...]

Regards,

Giulio Cesare

[Joel Riedesel]

Hi Giulio,

On Sat, Nov 1, 2008 at 11:01 AM, Giulio Cesare Solaroli <giulio...@gmail.com> wrote:

We are aware that we are not including all the required tools in all
the different packages that we offer, so no body will complain right
now.

If you could help us integrating all your changes (included the
building tools required) into the community edition, we would be very
pleased.

And this would also solve the licensing issue, as it would be later
possible to use all the AGPL licensed code.

This sounds great.  I was getting my feet quite wet and should be able to work with the community edition and update it, etc.

What is the best way to do so?  One can download the current community edition from sourceforge, but how then do I incorporate any changes to support app engine?

I don't see any sort of SVN access.  Is that a possibility?

 

> [...]

> One question.  What's the benefit of putting everything into one
> file?  Avoiding lots of downloads for the supporting js I understand,
> but browsers cache well these days and it should be easy to setup
> proper expirations on those js files that don't change much.

The full answer is here:
- http://www.clipperz.com/reviewing_the_code/checksums

Ahhh, I see.  Fascinating problem.  Must be some way to solve it - something to think about it.

Joel


--
Build your own smart web apps: http://jnana.appspot.com

[Joel Riedesel]

Ok, I've thought a small amount about this checksum problem.

Possibly naive question:

Doesn't https obviate the need for a checksum?

If I trust the website (and what they say is the checksum)... a certificate is more involved as one has to be verified by the issuing authority.  It seems that a checksum is only as good as my belief that I can trust you in the first place.

But https adds a little bit to that level of trust, doesn't it?

Joel

On Sat, Nov 1, 2008 at 11:01 AM, Giulio Cesare Solaroli <giulio...@gmail.com> wrote:

> [...]

> One question.  What's the benefit of putting everything into one
> file?  Avoiding lots of downloads for the supporting js I understand,
> but browsers cache well these days and it should be easy to setup
> proper expirations on those js files that don't change much.

The full answer is here:
- http://www.clipperz.com/reviewing_the_code/checksums

[Giulio Cesare Solaroli]

Hello Joel,

On Sat, Nov 1, 2008 at 6:33 PM, Joel Riedesel <joel.r...@gmail.com> wrote:
> Hi Giulio,
>
> On Sat, Nov 1, 2008 at 11:01 AM, Giulio Cesare Solaroli
> <giulio...@gmail.com> wrote:
>>
>> We are aware that we are not including all the required tools in all
>> the different packages that we offer, so no body will complain right
>> now.
>>
>> If you could help us integrating all your changes (included the
>> building tools required) into the community edition, we would be very
>> pleased.
>>
>> And this would also solve the licensing issue, as it would be later
>> possible to use all the AGPL licensed code.
>
> This sounds great. I was getting my feet quite wet and should be able to
> work with the community edition and update it, etc.
> What is the best way to do so? One can download the current community
> edition from sourceforge, but how then do I incorporate any changes to
> support app engine?
> I don't see any sort of SVN access. Is that a possibility?

SourceForge is providing an SVN access:
- http://sourceforge.net/svn/?group_id=223257

In the current community edition there is only the PHP backend, but if
you wish, we could grant you write access the the repository in order
to submit the patches for the Python version.

As this would be the very first contribution we receive from an
external person, I need to check if we need some sort of contribution
agreement in place before proceeding.

> [...]
>> > One question. What's the benefit of putting everything into one
>> > file? Avoiding lots of downloads for the supporting js I understand,
>> > but browsers cache well these days and it should be easy to setup
>> > proper expirations on those js files that don't change much.
>>
>> The full answer is here:
>> - http://www.clipperz.com/reviewing_the_code/checksums
>
> Ahhh, I see. Fascinating problem. Must be some way to solve it - something
> to think about it.

If you go through our blog / site / forum, you will find that this
argument is popping up very often. :-)

Regards,

Giulio Cesare

[Giulio Cesare Solaroli]

Hello Joel,

On Sat, Nov 1, 2008 at 7:17 PM, Joel Riedesel <joel.r...@gmail.com> wrote:
> Ok, I've thought a small amount about this checksum problem.
> Possibly naive question:
> Doesn't https obviate the need for a checksum?
> If I trust the website (and what they say is the checksum)... a certificate
> is more involved as one has to be verified by the issuing authority. It
> seems that a checksum is only as good as my belief that I can trust you in
> the first place.
> But https adds a little bit to that level of trust, doesn't it?

from our point of view, https is useful only to preserve the integrity
of the data channel between the browser and the server.

The checksum instead should ideally remove any requirement for any
kind of trust.

We may be very careful in whatever we do, but our server is hosted in
a facility where other people have access to our content. Or our site
may just be hacked.

Many things can go wrong when you are hosting your secure application
online. For this reason, we are striving to offer our users a
convenient way to know that the application that they are using is the
right one.

If you are using the "right" application, you may also be talking with
a malicious server and the worst thing that could happen is that you
are loosing some data, as you may be very confidente that the
application is not sending any private information to the server in a
clear text format.

We have called this architecture "Zero-Knowledge web application":
- <http://www.clipperz.com/users/marco/blog/2007/08/24/anatomy_zero_knowledge_web_application>
- <http://www.clipperz.com/users/marco/blog/2008/05/30/freedom_and_privacy_cloud_call_action>

It is still an open ended problem, but if you want to use the cloud
for storing sensitive information, this is the right way to go.

Regards,

Giulio Cesare

[Joel Riedesel]

Giulio,

I think I need to wait for the update to the community edition.

There seem to be enough differences that simply trying to use the build process from the official version doesn't work.

Joel

On Sat, Nov 1, 2008 at 10:01 AM, Giulio Cesare Solaroli <giulio...@gmail.com> wrote:

Hello Joel,

On Sat, Nov 1, 2008 at 5:11 PM, JoelR <joel.r...@gmail.com> wrote:
>
> I'm playing around with Clipperz and have managed to get it running on
> the Google App Engine (with help from Giulio).
> I'm using the 1251 build and a clipperz.py that Giulio provided.

At this point there is no problem at all, but please be aware that the
code downloaded from the 1251 has a different license from the code of
the App Engine version we released and that of the Community Edition.

We have just released a couple of updates to the online application
and we are going to update also the Community Edition code very soon.

Regards,

Giulio Cesare

[Giulio Cesare Solaroli]

Ok.