auto reject based on something

Comments (22)

1. 

   Gregoire Detrez

   Yes, I'd like that too :-D The problem is that we need to be able to let this other computer get the assignment files in a secure manner. Which means managing auth tokens of some sort, or ssh keys.

   I have some ideas on doing that with git+ssh but it'll still require some work

   • 2014-03-31T15:52:28+00:00
2. 

   Evgeny Kotelnikov

   It would certainly be useful to have some sort of hooks for that, not an ad hoc solutoin.

   I can imagine a very simple solution: graders are allowed to attach a Python script to a lab. There will be Fire's API exposed (as Python function/classes/etc), so you have access to attached files and everything. You can run external processes (compilers, lints, etc), available on the server. Every time there's a new submission, script is executed; after that there's an icon next to the submittion (red or green) with the transcript of the check.

   • 2014-04-01T12:11:28+00:00
3. 

   Luciano Bello reporter

   I think is better to externalize the check (for flexibility and maintenance). Grader can set a server where Fire send the things (can be over SSL) and get an answer. If you define the API, the grader just need to follow it.

   • 2014-04-01T12:20:36+00:00
4. 

   Evgeny Kotelnikov

   It does sound like like it's more "correct" way to go, but it also requires setting up complex infrastructure with SSL access, authorization tokens, remote API as so forth. Does the benefit of doing things correctly outweight the extra effort needed for the implementation?

   What are the drawbacks of local Python scripts that I described?

   • 2014-04-01T13:39:01+00:00
5. 

   Gregoire Detrez

   I agree with Luciano, this has to be done on a different machine. Courses can have all sort of crazy requirements for weird tools and specific versions and it will be hell to maintain. And more generally, executing user code on the server is not a good idea: it would need to be sandboxed, with limited resources so it doesn't crash the server, etc etc

   • 2014-04-01T14:15:41+00:00
6. 

   Evgeny Kotelnikov

   Well, that depends on the kind of things you would like to check. If the majority of courses require complicated environments then separate servers will surely be more convinient. I'm not sure if that it's the case. In my datastructures course with Java code submission simple "Try to compile" button would already helped a lot. And it would be much easier to implement it locally.

   Remember that any new infrastrucre is a lot of code and a lot of bugs.

   • 2014-04-01T14:50:24+00:00
7. 

   Gregoire Detrez

   That mean you at least need a java compiler, the database course would need psql, some courses will need a haskell compiler, not necessarily the same version...

   And this is only one part of the problem: we would need to sandbox all of those which probably means firing and controlling virtual machines or linux containers to run the hook. I believe this will be a lot more infrastructure than some http hooks with an API.

   • 2014-04-01T15:08:15+00:00
8. 

   Luciano Bello reporter

   In compilers we need Java with some obscure libs. Haskell with another bunch of libs. Even run some in-house tests.

   • 2014-04-01T15:29:37+00:00
9. 

   Evgeny Kotelnikov

   • marked as minor

   • 2015-01-09T14:39:42+00:00
10. 

    JonasDuregard

    How about this, if you can require a code from the user upon submission (and also provide instructions on how they obtain the code). Then the code could be provided when they upload their submission to a separate server (a bit unfortunate, requiring them to upload the same files twice) or by running a testing application provided on the course webpage or on the Chalmers computer system. It could also be as simple as requiring them to write "yes" when asked if they have done the required testing, which could be enough in many cases.

    How fancy the codes are can vary from a simple code word to some sort of cryptographic signing. Using the former should not be a problem as long as you are aware that it might happen that someone tries to bypass the check (I doubt anyone will actually do it).

    • 2015-11-14T13:54:07+00:00
11. 

    Evgeny Kotelnikov

    I think it's about as complex as implementing a hooks system.

    • 2015-11-16T19:27:52+00:00
12. 

    JonasDuregard

    Certainly requesting a passphrase is simpler?

    Something like this:

    answer = prompt("Confirm that you have used the testing tool by writing I HAVE TESTED");
    if (answer != "I HAVE TESTED") {
      abortSubmission("Incorrect passphrase");
    }
    

    Of course a more general solution would be better, but simpler?

    • 2015-11-16T20:48:19+00:00
13. 

    Evgeny Kotelnikov

    I thought you meant that the testing server would generate a code when all the tests have passed and that code would be checked by Fire.

    Making a student confirm that they run the tests is of course simple.

    • 2015-11-16T23:00:06+00:00
14. 

    H E

    I know whatever solution that involves JavaScript is not considered serious but I suggest the following solution:

    Allowing course responsible to define onclick javascript Event for submit button. This way the course responsible can perform some basics checks or even send the files to another server for further assessment. Sample JavaScript can also be provided.

    • 2016-01-25T10:46:47+00:00
15. 

    Gregoire Detrez

    I think this solution has two major problems:

    • The javascript will be executed on the student browser, so they could easily change it to do whatever they want (like bypassing the checks)
    • if the file is send to a separate server this way, there need to be a mechanism to get the response from this server. And in that case, the response need to reach the student browser, not just the server, which makes is really complicated.

    • 2016-01-25T14:46:08+00:00
16. 

    Gregoire Detrez

    Maybe we should divide this issue in two:

    Simple checks on the file list could be implemented in fire itself and used to refuse incorrect submissions (e.g. allowing only some extensions, disallowing empty submission, etc..).

    More complex tests (linter, compilation, test-suite, etc) should be run asynchronously on a separate server. This probably means that the submission should be allowed (we don't wait for the external server). Also, in that case, the pass/fail feedback should be shown as an indication to the grader but not necessarily used to automatically reject submissions (a bit like the way github shows build status on pull requests).

    • 2016-01-25T19:02:08+00:00
17. 

    Evgeny Kotelnikov

    Maybe we should divide this issue in two

    Agree. Actually, I thought that part 1 in one of the issues already.

    • 2016-01-25T19:47:25+00:00
18. 

    H E

    I was aware of the weaknesses. Javascript can be disabled but if a student cheats they will eventually be caught when the submission is checked by a grader. Sending file to another server and looking at the response and showing an error msg in the student's browser [the complicated mechanism] can all be done in the javascript. I think in order to keep the Fire system simple, the Fire should not deal with all these special cases (file type, file content, result of execution), sandboxing and ...

    • 2016-01-25T21:51:40+00:00
19. 

    Gregoire Detrez

    • assigned issue to
      
      Gregoire Detrez

    • 2016-02-23T08:38:56+00:00
20. 

    Gregoire Detrez

    I have implemented a simple rule that allows only a predefined set of extension. I also have been talking with the TAs for the AI course to implement the hook system. I'll try to post the progress here.

    • 2016-02-23T08:42:46+00:00
21. 

    Gregoire Detrez

    • changed status to open

    • 2016-02-23T09:24:51+00:00
22. 

    Gregoire Detrez

    • changed status to resolved

    To be tested in LP4 2016

    • 2016-03-09T11:40:49+00:00
23. Log in to comment