On Fri, May 23, 2014 at 12:01:43PM -0400, Scott Kitterman wrote:
> On Friday, May 23, 2014 19:54:05 Dmitry Shachnev wrote:
> > Does this mean that anyone can bypass the NEW queue by uploading a
> > package to any PPA and then copying it using copy-package?
> > If yes, then I would consider it a security hole.
This is https://bugs.launchpad.net/launchpad/+bug/993120. I think I've
finally figured out how to fix this without blocking on more fundamental
redesign work, so I'm working on this now.
> Particularly since the list of people that can upload to the relevant PPAs is
> not constrained to Ubuntu developers. It not only can bypass New, it can
> bypass all the normal sponsorship process.
I raised this in a discussion today about the CI Airline (which will be
replacing CI Train soon), requesting that we make sure that the Airline
uses LP's checkUpload method to ensure that every change it lands has
been reviewed by (at least) somebody who can upload the package in
question; in my mind that makes it equivalent to a fancy sponsorship
system for this purpose. This is on the to-do list for the Airline now,
if I'm reading the task list correctly.
Colin Watson [firstname.lastname@example.org]
ubuntu-devel mailing list
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel