Ubuntu
click-reviewers-tools package

update to 0.43 (aka, support 'confinement' field in snap v2 yaml)

Bug #1584231 reported by Jamie Strandboge
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
click-reviewers-tools (Ubuntu)
Fix Released
High
Jamie Strandboge
Xenial
Fix Released
High
Jamie Strandboge
Yakkety
Fix Released
High
Jamie Strandboge

Bug Description

[Impact]
Upgrade to review tools 0.43. The review tools provide lint-style checks for clicks and snaps. This release has several bug fixes and support for new snappy yaml declarations, the most important of which is supporting the 'confinement' property.

Here is the complete changelog:

  * sr_lint.py:
    - kernel snaps may have external symlinks
    - handle top-level plugs and slots with yaml data as 'null' (LP: #1579201)
    - add epoch checks (LP: #1583298)
    - .pyc are arch-independent, so don't complain about them
    - add confinement checks (LP: #1580819)
  * data/apparmor-easyprof-ubuntu.json:
    - add opengl interface as 'common' (LP: #1572140)
    - add reserved bluez, network-manager and location-observe interfaces
  * sr_security.py:
    - remove last reference to 'cap'
    - turn resquash test into info for now until the squashfs-tools bugs are
      fixed and this is a reliable check
  * when 'confinement' is 'devmode', override the result type to 'info'
    - common.py: add override_result_type to allow in support of 'confinement'
      overrides
    - sr_common.py: add _devmode_override()
    - sr_security.py: use override_result_type if in devmode
    - LP: #1584231

[Test Case]
The testsuite tests the above and the store is already using these checks. To verify the package:
1. install the package
2. verify click reviews work with: click-review /path/to/click
3. verify snapv1 reviews work with: click-review /path/to/15.04/snap
4. verify snapv2 reviews work with: click-review /path/to/16/snap

[Regression Potential]

The worst regression is that the lint tool would trace back to the user running it instead of displaying the information. The testsuite is run during the build and is comprehensive with the added code maintaining 100% coverage for sr_security.py and sr_lint.py. sr_common.py maintaining 98% coverage.

[Other Info]
The store has been running r651 for weeks with no issues. r652 and later are to support the new snappy 'confinement' and 'epoch' fields as per the spec and fixes a few minor issues. The store will land this next week and if there are regressions there, I will update this bug.

See original description
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This is fixed in 0.43 which I've uploaded to yakkety.

Changed in click-reviewers-tools (Ubuntu Yakkety):
status: New → Fix Committed
importance: Undecided → High
Changed in click-reviewers-tools (Ubuntu Xenial):
importance: Undecided → High
Changed in click-reviewers-tools (Ubuntu Yakkety):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in click-reviewers-tools (Ubuntu Xenial):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → In Progress
Jamie Strandboge (jdstrand)
Changed in click-reviewers-tools (Ubuntu Xenial):
status: In Progress → Triaged
Jamie Strandboge (jdstrand)
description: updated
Changed in click-reviewers-tools (Ubuntu Xenial):
status: Triaged → In Progress
summary: - support 'confinement' field in snap v2 yaml
+ update to 0.43 (aka, support 'confinement' field in snap v2 yaml)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This was fixed in yakkety in 0.43.

Changed in click-reviewers-tools (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Hello Jamie, or anyone else affected,

Accepted click-reviewers-tools into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/click-reviewers-tools/0.43~14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in click-reviewers-tools (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Verified that 'confinement: strict' properly errors with 'plugs: [ network-control ]':
Errors
------
 - security-snap-v2:plug_safe:network-control:network-control
 reserved interface 'network-control' for vetted applications only

and that 'confinement: devmode' shows no error with 'plugs: [ network-control ]'

I also verified it works with a sampling of clicks, v1 snaps and v2 snaps.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package click-reviewers-tools - 0.43~14.04.1

---------------
click-reviewers-tools (0.43~14.04.1) xenial-proposed; urgency=medium

  [ Jamie Strandboge ]
  * sr_lint.py:
    - kernel snaps may have external symlinks
    - handle top-level plugs and slots with yaml data as 'null' (LP: #1579201)
    - add epoch checks (LP: #1583298)
    - .pyc are arch-independent, so don't complain about them
    - add confinement checks (LP: #1580819)
  * data/apparmor-easyprof-ubuntu.json:
    - add opengl interface as 'common' (LP: #1572140)
    - add reserved bluez, network-manager and location-observe interfaces
  * sr_security.py:
    - remove last reference to 'cap'
    - turn resquash test into info for now until the squashfs-tools bugs are
      fixed and this is a reliable check
  * when 'confinement' is 'devmode', override the result type to 'info'
    - common.py: add override_result_type to allow in support of 'confinement'
      overrides
    - sr_common.py: add _devmode_override()
    - sr_security.py: use override_result_type if in devmode
    - LP: #1584231

 -- Jamie Strandboge <email address hidden> Fri, 20 May 2016 16:06:55 -0500

Changed in click-reviewers-tools (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Adam Conrad (adconrad) wrote : Update Released

The verification of the Stable Release Update for click-reviewers-tools has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.