[RFC 0/3] Add "events"

Daniel Axtens dja at axtens.net
Mon Nov 7 10:30:25 AEDT 2016 

>> ?since= would be much nicer, but that's a minor quibble.
>
> I agree - 'since' and 'until' are what I generally expect. On that note, 
> we still have to do REST API filtering :O

Oh, I didn't realise that was missing! *sigh*

>> Some random, related thoughts:
>> 
>> Does DRF support rate limiting? As we grow a bigger API we might want 
>> to
>> consider that.
>
> To the best of my knowledge it does, though I don't know if this is 
> something one would do at the application layer. Rate limiting really 
> seems like something a lower level component, such as nginx itself or 
> HAProxy, would be suited for. If we're going to start making full use of 
> the DRF functionality, supporting some form of caching (read: ETags) 
> would return far better ROI, IMO.

I guess my thoughts are "it depends".

If you look at the way the GitHub and Travis CI APIs, they both have
rate-limiting at the API level, including providing headers that show
how much of your rate limit you've used. This is really helpful if
you've got particular endpoints that are very expensive (e.g. search
endpoints).

>> Thinking of rate limiting - do we have it for the login page? Should we
>> add it to avoid brute forcing of credentials?
>
> We don't, nor do I know if we care about it. Patchwork would appear to 
> be a very low value target, seeing as it has no direct repo or mailing 
> list access. However, it looks like there are packages available [1] to 
> handle this, however, if sysadmins cared enough. Maybe someone should 
> document this.

Fair enough.

Certainly I agree that the entire concept is a pretty low priority issue
- let's get back to it a bit later. (Normally I don't like the idea of
bolting on security/limits later, but I think we'll get away with it
here.)

> What are your thoughts on the overall idea. This would, out of 
> curiosity, be something you or Andy would fancy running with, would it? 
> :)

I think the overall idea of events is solid. What would be the best way
to be helpful here? Do you want me to review the individual patches?

Regards,
Daniel

More information about the Patchwork mailing list