The nodejs plugin downloads packages during the build

Sergio suggests that instead of changing the plugins, launchpad should allow downloads during the build phase too. I've added the launchpad task so we can start the discussion to see where is the best place to fix this.

We're quite reluctant to do this because it basically opens the floodgates to having all snaps be able to download anything whenever they like. I understand that this would have some usability benefits, but it imposes a strong requirement on us to do much more monitoring of our build farm than we currently have the capacity to do. Anyone at all can ask Launchpad to build a snap for them, and that means that anyone can cause the Launchpad build farm to issue fairly arbitrary web requests: what happens if somebody uses us to execute a denial of service attack against some other service? What if that causes that service to blacklist us, affecting anyone else who wants to use the Launchpad build farm to perform legitimate snap builds?

The benefit of doing things in the pull phase is that it can be (at least almost entirely) declarative, rather than giving people largely-unrestricted access to issue more or less whatever requests they like through our proxy.

As such, we'd push back quite hard against a proposal to open this up to the build phase. Please consider doing this in pull instead.

Thanks for the reply, Colin. I see where you're coming from, but I also see two problems with it:

1) The floodgates are already open. If someone wants to get around the blockade, all they have to do is use a local plugin that does whatever they want in the pull phase, like so:

    http://pastebin.ubuntu.com/23047975/

2) You're trying to avoid internet access in the build step. But by asking us to "do this in pull instead," you're literally asking us to combine the build and pull step. Which means we have internet access in the build step anyway, but we lose our pull->build->stage->prime lifecycle for the plugins in question. For _everyone_, not just users of the Launchpad snap builders.

With these things in mind, it seems to us that blocking internet access in all but the pull step doesn't do much to protect anything, but definitely gets in the way of legitimate use.

Could we have firewall rules that deny excessive downloads to the same URL to forbid DOS attacks?
Those rules should be put in place in the pull phase now, as Kyle points out.

There are all kinds of crazy build scripts out there. Forcing them to do all the downloads in the pull is one more step for upstreams to adopt snaps, and sometimes it's not even doable.

It sounds really nice, because you could pull in one machine, copy everything to another and then do the build in there completely isolated. But from what I've seen these months building snaps, it might be too much to ask.

Related bug LP: #1616421

Moved the gulp work to LP: #1618622

https://github.com/snapcore/snapcraft/pull/762

I just tried building a snap that uses gradle in Launchpad, and it failed: first when downloading the gradle wrapper and then, after switching to the system "gradle" command, when downloading the dependencies from Maven.

This makes the gradle plugin completely useless in Launchpad.
And I suppose maven will also fail.

plugin no longer supported