On Thursday, May 29, 2014 14:48:24 Colin Watson wrote: > On Fri, May 23, 2014 at 12:01:43PM -0400, Scott Kitterman wrote: > > On Friday, May 23, 2014 19:54:05 Dmitry Shachnev wrote: > > > Does this mean that anyone can bypass the NEW queue by uploading a > > > package to any PPA and then copying it using copy-package? > > > > > > If yes, then I would consider it a security hole. > > This is https://bugs.launchpad.net/launchpad/+bug/993120. I think I've > finally figured out how to fix this without blocking on more fundamental > redesign work, so I'm working on this now. > > > Particularly since the list of people that can upload to the relevant PPAs > > is not constrained to Ubuntu developers. It not only can bypass New, it > > can bypass all the normal sponsorship process. > > I raised this in a discussion today about the CI Airline (which will be > replacing CI Train soon), requesting that we make sure that the Airline > uses LP's checkUpload method to ensure that every change it lands has > been reviewed by (at least) somebody who can upload the package in > question; in my mind that makes it equivalent to a fancy sponsorship > system for this purpose. This is on the to-do list for the Airline now, > if I'm reading the task list correctly.
Thanks for working on this. It seems to me the key control point is whatever controls if something is eligible to go into the archive. If that's a review, then what you're suggesting seems spot on. Scott K -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
