As a note on this, it would be important to not include &quot;hidden&quot; datasets in the output, or at least make it an option to not included them. With regards the large fastq (and SAM), there were murmurs recently about an option to turn off metadata for files over a particular size or something similar. Any progress on that?<div>
<br></div><div>Cheers</div><div>Dennis<br><br><div class="gmail_quote">On Wed, Jun 30, 2010 at 7:56 AM, Assaf Gordon <span dir="ltr">&lt;<a href="mailto:gordon@cshl.edu">gordon@cshl.edu</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Kudos for this nice feature. It would be very useful, both for backups and for exchanging histories between Galaxies.<br>
<br>
But as usual ;) I have couple of comments:<br>
<br>
1. Exporting big files doesn&#39;t work.<br>
You first create the tar file, then add the individual datasets, and only then stream the tar file to the user.<br>
very bad. Try exporting a history with 18M-paired-end-76nt-reads FASTQ files (and remember that they are duplicated because you guys still insist on grooming).<br>
The proxy (apache at least) will surely timeout.<br>
<br>
BTW, since you&#39;re using native python Tarfile, the python process will keep being on 100% CPU long after the client connection timed out. 20 users exporting large histories at the same time will constitute a DDOS attack ;)<br>

<br>
2. Importing large files (after you&#39;ll fix exporting large files...) will cause the same problems as uploading huge FASTQ files (and you&#39;re seeing more and more complaints about those).<br>
<br>
<br>
Combining 1+2, I would suggest the following:<br>
1. Make the export a new &quot;job&quot;. This will allow it to run for a long time, in a separate process, not blocking python and not tying the user to the browser (also remember: downloading 3GB with your browser is no fun).<br>

Since your code already store &quot;temporary&quot; tarballs in a dedicated &quot;export&quot; directory, just keep them there for an arbitrary amount of time (let say: 4 days),<br>
and provide the user will a link to download the history at his/her own convenience.<br>
<br>
2. Allow importing a history from a URL.<br>
This will also have the benefit of not transferring huge tarballs through the users&#39; personal computer when they want to transfer histories between Galaxies.<br>
They will go to one Galaxy, run the &quot;export&quot; job, get a download link, wait until the export job is done, then go to the other Galaxy, and simply import the history with that link.<br>
<br>
<br>
And a bonus:<br>
You&#39;ve checked the tarball for malicious files, but not the JSON attributes.<br>
If I import a history with a dataset that have:<br>
  [ { &quot;file_name&quot;: &quot;../../../etc/passwd&quot; } ]<br>
<br>
I can get any file on the system into Galaxy (this happens in &lt;galaxy&gt;/lib/galaxy/web/controllers/history.py:580).<br>
If I import &quot;/dev/urandom&quot; it&#39;ll be even more fun.<br>
<br>
I would recommend against checking for &quot;..&quot; or &quot;/&quot; (as in line 457), because a determined person could possibly circumvent that with tricks like &quot;.\u002E/etc/passwd&quot; etc.).<br>
Instead, construct the full path (as set in the dataset attributes), then check with os.path.abspath() that it resides in the temporary import directory.<br>
<br>
<br>
Comments are welcomed,<br>
        -gordon<br>
_______________________________________________<br>
galaxy-dev mailing list<br>
<a href="mailto:galaxy-dev@lists.bx.psu.edu">galaxy-dev@lists.bx.psu.edu</a><br>
<a href="http://lists.bx.psu.edu/listinfo/galaxy-dev" target="_blank">http://lists.bx.psu.edu/listinfo/galaxy-dev</a><br>
</blockquote></div><br><br clear="all"><br>
</div>