Launchpad itself

Sharing policies unconfigure existing projects

Bug #1008541 reported by Curtis Hovey
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
High
Ian Booth

Bug Description

Projects have set teams in the maintainer security contact, and bug supervisor roles to get access to private bugs, but the project is not sharing with these teams.

We probably want a script to migrate the current configurations to sharing. Ubuntu is exempt because it s rules contradict Lp's documented behaviour. We do not want to run the script until bug 1008521, bug 1008526, and bug 1008538 are fixed.

Should a migration script also reconcile artefact grants with project grants? The goal of sharing is to make the disclosure or private information easy to understand an manage. The current view of /launchpad/+sharing is not easy to understand. Existing projects are in a mixed state that requires a lot of time (days or weeks) to reconcile by hand. Stakeholders will not likely accept a feature that requires them to do more work. I think a migration script should remove artefact subscriptions for users that are in projects that are shared with. Stakeholders (and the launchpad team) will see a listing of the teams they trust, and the exceptions that they need to investigate.

Curtis Hovey (sinzui)
tags: added: sharing
Revision history for this message
Ian Booth (wallyworld) wrote :

As a first step, I have created some SQL which will grant all project maintainers access policy grants for embargoed security and user data artifacts. This will at least allow maintainers to see the private information in their own projects.

Changed in launchpad:
status: Triaged → In Progress
assignee: nobody → Ian Booth (wallyworld)
Revision history for this message
Ian Booth (wallyworld) wrote : Re: [Bug 1008541] Re: Sharing policies unconfigure existing projects

On Tue 17 Jul 2012 12:03:02 EST, Ian Booth wrote:
> As a first step, I have created some SQL which will grant all project
> maintainers access policy grants for embargoed security and user data
> artifacts. This will at least allow maintainers to see the private
> information in their own projects.
>

This SQL has been run on production now. So project maintainers have
full access to their projects via access policy grants. I have not done
distributions.

Revision history for this message
Curtis Hovey (sinzui) wrote :

Hi Ian.

My thoughts were confused yesterday and I could not find or recreate the script that showed which bug supervisors need APGs and structural subscriptions. You might want to declare this bug complete and treat this as bug 1008538. I will update that bug too.

-- Under the old rules the default person to get private bug mail
-- is the maintainer. The maintainer may set the bug supervisor to
-- himself (a no-op) or to a team that he belongs to.
-- Under the new rules, the maintainer gets full access by default,
-- but the bug supervisor gets no access because the role exists
-- to deletegate bug triage, so the team can be inclusice.
-- We only want to share USERDATA with exclusive bug supervisor teams
-- for active projects that use Lp Bugs.
-- these team need a structural subscription for with a USERDATA filter.
select p.name, bs.name
from product p
    join person bs on p.bug_supervisor = bs.id
where
    p.active is true
    and p.official_malone is true
    and bs.teamowner is not null
    and bs.subscriptionpolicy in (1, 3)
    and p.owner != p.bug_supervisor
    -- and p.driver = p.bug_supervisor
order by bs.name
;
-- (758 rows) on staging.
-- common practive is to set the driver team as the bug supervisor to
-- ensure the people who plan releases can see the bgus.
-- (378 drivers get proper access which includes all Canonical projects)

Revision history for this message
Ian Booth (wallyworld) wrote :

I have marked this bug as complete and we'll do the bug supervisor work in the separate bug.

Changed in launchpad:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.