Friday, 23 May 2014

Re: Point of reviews

On Friday, May 23, 2014 19:54:05 Dmitry Shachnev wrote:
> On Fri, May 23, 2014 at 7:27 PM, Didier Roche <[email protected]> wrote:
> >> Since CI train packages are mostly Ubuntu specific (Qt5 is
> >> somewhat unique in this regard), I'd suggest those need review in New
> >> much
> >> more than the 75% of our packages we get from Debian unmodified that have
> >> already been through New there.
> >
> > This is the case since we had daily release and it's a bug/feature in
> > Launchpad itself.
>
> Does this mean that anyone can bypass the NEW queue by uploading a
> package to any PPA and then copying it using copy-package?
>
> If yes, then I would consider it a security hole.

Particularly since the list of people that can upload to the relevant PPAs is
not constrained to Ubuntu developers. It not only can bypass New, it can
bypass all the normal sponsorship process.

Scott K

--
ubuntu-devel mailing list
[email protected]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel