How should we protect setting official package branch links (take 2)
Francis J. Lacoste
francis.lacoste at canonical.com
Wed Jun 15 22:15:28 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
While fixing bug #365098 (allowing package uploaders to set official
source package branch), we hit a regression with the importer bug #797088.
I have a fix for the regression, but I'd like to confirm the
requirements around that piece to make sure that it's the end of the story.
Basically, the fix ignores the pocket argument to setBranch. If the user
has archive permission to upload the source package, he's allowed to set
the official branch.
Now, that means that any uploader (who has permission through the
archive permissions) would be able to set an official package branch in
the release pocket on SUPPORTED or CURRENT series. They couldn't upload
a package there though. Is that a problem?
Some argued that setting the official package branch is the logicial
equivalent of an upload. Since I think we are shying away from automatic
builds, I'm not sure this argument stands.
In which case, that's more a kind of meta-data gardening which might not
be a problem.
Also, if we'd want to restrict this, we would have to model a
'package-importer' role on the distribution since it seems that the
package-importer should have that permission regardless of the states of
pocket, because it does garden historical meta-data.
Thanks for your opinion on this.
- --
Francis J. Lacoste
francis.lacoste at canonical.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk35LwAACgkQM2AFUiyz+TfTewCgvGEitJ+4lcQwqRaWJaixDnrF
L6EAoLd9JeuAGYeLm0QfGbx5paNaadqa
=2MEU
-----END PGP SIGNATURE-----
More information about the technical-board
mailing list