Ubuntu
qtcreator package

click manifest name should not contain underscores

Bug #1215133 reported by Jamie Strandboge
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
qtcreator (Ubuntu)
Fix Released
High
Unassigned
Saucy
Fix Released
High
Unassigned

Bug Description

Currently qtcreator allows people to name their projects with an underscore. This name is used to fill in various parts of the manifest which are then used to generate click packages, etc. click packages, apparmor and the application lifecycle have the concept of an APP_ID. When you install a click package an APP_ID is assigned in the form of $pkgname_$app_$version where $pkgname is com.ubuntu.developer.<userid>.$appname (note, $app and $appname are often the same, but may be different when in the future we support multiple desktop files per click package). The underscore is a delimiter for the APP_ID and therefore must not be allowed in $pkgname, $app or $version. Because qtcreator allows it, developers could find themselves in a situation where their app is rejected and they have to rename their files and adjust their project.

To illustrate, consider the following manifest:
{
    "framework": "ubuntu-sdk-13.10",
    "hooks": {
        "untitled17": {
            "apparmor": "untitled17.json",
            "desktop": "untitled17.desktop"
        }
    },
    "maintainer": "Jamie Strandboge <email address hidden>",
    "name": "com.ubuntu.developer.jdstrand.untitled17",
    "title": "",
    "description": "",
    "version": "0.1"
}

The APP_ID for the above is: com.ubuntu.developer.jdstrand.untitled17_untitled17_0.1. The APP_ID is derived based on the 'name' , hooks dictionary key(s) and the version from the click manifest. The apparmor hook looks at these manifest fields to generate a profile name and policy while the desktop hook looks at them to generate a desktop file. Unity will look at these fields to derive an APP_ID to launch applications in compliance with application lifecycle and application lifecycle.

I didn't verify qtcreator's input validation except to see that it allows '_', but here are regular expressions that validate each part:
 * manifest 'name': ^[a-z0-9][a-z0-9+.-]+$
 * manifest 'version': ^((\d+):)?([A-Za-z0-9.+:~-]+?)(-([A-Za-z0-9+.~]+))?$
 * manifest 'hooks keys': ^[A-Za-z0-9+-.:~-]+$

The allowed characters are based on (which references Debian policy):
http://bazaar.launchpad.net/~click-hackers/click/trunk/view/head:/doc/file-format.rst
http://bazaar.launchpad.net/~click-hackers/click/trunk/view/head:/doc/hooks.rst

Note that the click documentation states that the name should only be the allowable characters for Debian Source packages (which is what the above regex enforces), but click is currently lenient and seems to allow [A-Z] (ie, ^[A-Za-z0-9][A-Za-z0-9\+\-\.]+$). I'm not sure this is a bug in click or a feature (please talk to cjwatson for clarification). The review process currently enforces click documented behavior.

See original description
Tags: appstore
Jamie Strandboge (jdstrand)
tags: added: appstore
description: updated
Changed in qtcreator (Ubuntu Saucy):
importance: Undecided → High
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

In thinking about this more, it is probably a bit extreme to not allow '_' in the projectname (one could do this in src/libs/utils/projectnamevalidatinglineedit.cpp). It would be better to simply substitute all occurrences of '_' with '-' when generating/editing the click manifest. This would solve the usability problem and keep the patch local to our click packaging.

Jamie Strandboge (jdstrand)
summary: - application name verification is too lenient
+ click manifest name should not contain underscores
Revision history for this message
Zoltan Balogh (bzoltan) wrote :

The #1 suggestion from Jamie sounds reasonable and doable. Replacing the _ with - in the security manifest file's name is not a big deal. The only twist is that I need to make sure that when reading up the security manifest for a project what has _ in its name the right manifest file is searched for.

Zoltan Balogh (bzoltan)
Changed in qtcreator (Ubuntu Saucy):
status: New → Fix Committed
Revision history for this message
Zoltan Balogh (bzoltan) wrote :

The 0ubuntu5~saucy1~test6 version of the QtCreator in the SDK Staging PPA (https://launchpad.net/~ubuntu-sdk-team/+archive/staging) has the fix. Please check it.

The change is as simple as Jamie suggested.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I tested 2.7.1-0ubuntu7~saucy1~test3, but it is not correct. The changelog mentions the security manifest file, but it is actually the manifest file that needs to not have underscores.

Eg, I created a project called 'test_cordova' and the following manifest was generated:
{
    "description": "description of test_cordova",
    "framework": "ubuntu-sdk-13.10",
    "hooks": {
        "test_cordova": {
            "apparmor": "test-cordova.json",
            "desktop": "test_cordova.desktop"
        }
    },
    "maintainer": "Jamie Strandboge <email address hidden>",
    "name": "com.ubuntu.developer.jdstrand.test_cordova",
    "title": "test_cordova",
    "version": "0.1"
}

This is what needs to be changed:
{
    ...
    "hooks": {
        "test-cordova": {
            ...
        }
    },
    ...
    "name": "com.ubuntu.developer.jdstrand.test-cordova",
    ...
    "version": "0.1"
}

Note, while version in this case is fine (there are no underscores), version also must not contain underscores.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I should also mention that for appstore reviews, the click package filename needs to match the manifest:
$name_$version_$architecture.click

where "name", "version" and the optional "architecture" are all in the manifest file. Therefore, this package name:
com.ubuntu.developer.jdstrand.test_cordova_0.1_all.click

should be:
com.ubuntu.developer.jdstrand.test-cordova_0.1_all.click

Daniel Holbach (dholbach)
Changed in qtcreator (Ubuntu Saucy):
status: Fix Committed → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qtcreator - 2.7.1-0ubuntu9

---------------
qtcreator (2.7.1-0ubuntu9) saucy; urgency=low

  * debian/patches/qtcreator-plugin-ubuntu.patch:
    - Update to latest version to truly fix (LP: #1215133)
 -- Timo Jyrinki <email address hidden> Wed, 28 Aug 2013 16:39:01 +0300

Changed in qtcreator (Ubuntu Saucy):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.