PPA upload permissions should be decoupled from its team membership.
Bug #284141 reported by
Michael Casadevall
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Triaged
|
Low
|
Unassigned |
Bug Description
I noticed this awhile ago, but I didn't think to file a bug on it.
On projects that have a PPA, you can upload freely to it if your a member of that group, and on projects that have free registeration, this can be very dangerous. Take the 5-a-day project, and then it just takes one person to upload a well placed rm -rf /, and suddenly every user is screwed.
Changed in soyuz: | |
milestone: | none → pending |
To post a comment you must log in.
Hi Michael,
Don't you think your are overestimating this issue ?
I failed to see how a restricted- membership team helps to avoid malicious uploads. Quality assurance is still an user responsibility, he decides whether to enable a specific repository or not.
OTOH, it's important to note that it would be relatively simple to us, at this point, to decouple PPA upload permission from team membership. However we have to investigate if this extra-level of indirection really brings the benefits we are expecting.
For now, if you guys agree, I don't this bug as a private/security vulnerability. Can it be made public ?