Friday 23 May 2014

Re: Point of reviews

On Fri, May 23, 2014 at 12:01:43PM -0400, Scott Kitterman wrote:
> On Friday, May 23, 2014 19:54:05 Dmitry Shachnev wrote:
> > On Fri, May 23, 2014 at 7:27 PM, Didier Roche <didrocks@ubuntu.com> wrote:
> > >> Since CI train packages are mostly Ubuntu specific (Qt5 is
> > >> somewhat unique in this regard), I'd suggest those need review in New
> > >> much
> > >> more than the 75% of our packages we get from Debian unmodified that have
> > >> already been through New there.
> > >
> > > This is the case since we had daily release and it's a bug/feature in
> > > Launchpad itself.
> >
> > Does this mean that anyone can bypass the NEW queue by uploading a
> > package to any PPA and then copying it using copy-package?
> >
> > If yes, then I would consider it a security hole.
>
> Particularly since the list of people that can upload to the relevant PPAs is
> not constrained to Ubuntu developers. It not only can bypass New, it can
> bypass all the normal sponsorship process.

Can someone lay this "vulnerability" out a bit more clearly from a security perspective? What are the relevant steps in the daily release process, who is involved at each step, how does this differ from going thru the NEW queue, what is the "threat", what would an "attack" look like?

Is it that a new set of people can actually get stuff into Ubuntu, or that the procedural guidlines that help the empowered people do security/quality revew are bypassed, or something else?

What are proposed alternative processes, and how would they affect daily builds?

Links to previous discussions (with good context if possible) would be great.

Thanks,

Neal McBurnett http://neal.mcburnett.org/

--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel