I think I have accidental ubuntu archive powers.

Bug #677209 reported by Jorge Castro on 2010-11-18
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Undecided
Unassigned

Bug Description

I noticed a build for nux/unity failed to build and I noticed a "retry build" button next to the failed build, so I clicked it. I realized this was probably a bad idea so I asked Steve Langasek:

16:30 <jcastro> can that do anything bad? It feels like I shouldn't have clicked that, I'm not an archive admin or anything like that
16:31 <slangasek> jcastro: it makes the log of the previous build attempt unavailable; but that's a secondary concern
16:31 <slangasek> jcastro: the button is there so that people click it and don't have to ask people with hats :)
16:31 <james_w> I thought only people that could upload could retry
16:32 <slangasek> I think that's right
16:32 <jcastro> ok so I certainly should not be pushing it.
16:32 <slangasek> jcastro: then maybe you've found a bug in LP

Scott Kitterman (kitterman) wrote :

Looks like it's likely due to membership in https://launchpad.net/~ubuntu-drivers. Note the team description says "This team needs a rethink after a discussion about privilege levels in Launchpad". I think that's accurate. This team pulls in a not insignificant number of people who are not Ubuntu developers.

William Grant (wgrant) wrote :

This is probably because ~ubuntu-drivers owns the primary archive. This is not excellent.

On Thu, 2010-11-18 at 22:00 +0000, Scott Kitterman wrote:
> Looks like it's likely due to membership in https://launchpad.net
> /~ubuntu-drivers. Note the team description says "This team needs a
> rethink after a discussion about privilege levels in Launchpad". I
> think that's accurate. This team pulls in a not insignificant number
> of
> people who are not Ubuntu developers.

~ubuntu drivers are not just Ubuntu drivers. The team is the Ubunut
owner.

--
__Curtis C. Hovey_________
http://launchpad.net/

Colin Watson (cjwatson) wrote :

To clarify, the retry button does not mean that you have archive administrator powers. This button is available to anyone who can upload the package.

So yes, ubuntu-drivers does have excessive privilege - something we've known for a while. (In the same way, there are a few people in e.g. developer-membership-board who are transitively members of ubuntu-core-dev but who aren't by policy permitted to use it.) Bug 174375 tracks the work to reduce this.

William Grant (wgrant) wrote :

The retry button doesn't only appear if one holds archive admin superpowers, but in this case it's appearing because ~ubuntu-drivers owns the primary archive, which gives its members launchpad.Edit, which probably lets them grant themselves upload and queue admin rights.

It does seem odd that ~ubuntu-drivers owns the primary archive. Should
that be ~ubuntu-archive instead?

William Grant (wgrant) wrote :

Them or the techboard, probably, yes.

Colin Watson (cjwatson) wrote :

I tried to change the owner as follows:

  ubuntu_archive = lp.people['ubuntu-archive']
  for archive in lp.distributions['ubuntu'].archives:
      archive.owner = ubuntu_archive
      archive.lp_save()

... but got ForbiddenAttribute. Tom Haddon tried and got the same thing, so it's evidently not allowed over the API. Is that intentional?

Tom will follow up with the SQL.

Tom Haddon (mthaddon) wrote :

I've updated the owner to be "ubuntu-archive" for both the primary and partner archives.

The owner has been updated to ~ubuntu-archive. Can you test etc. and let us know if this is sufficient.

Colin Watson (cjwatson) wrote :

Jorge, could you find a random failing build and see if you still get the retry button? You can use http://qa.ubuntuwire.com/ftbfs/ as a source of failures.

Is there a bug for the need to use SQL to make this change? Per policy
we need one.

Jorge Castro (jorge) wrote :

Hi Colin,

I tried a few from the FTBFS list and I no longer have this capability, thanks!

Changed in launchpad:
status: New → Fix Released
Robert Collins (lifeless) wrote :

I've filed bug 678366 for the need to use SQL.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers