Launchpad itself

I think I have accidental ubuntu archive powers.

Bug #677209 reported by Jorge Castro
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
Undecided
Unassigned

Bug Description

I noticed a build for nux/unity failed to build and I noticed a "retry build" button next to the failed build, so I clicked it. I realized this was probably a bad idea so I asked Steve Langasek:

16:30 <jcastro> can that do anything bad? It feels like I shouldn't have clicked that, I'm not an archive admin or anything like that
16:31 <slangasek> jcastro: it makes the log of the previous build attempt unavailable; but that's a secondary concern
16:31 <slangasek> jcastro: the button is there so that people click it and don't have to ask people with hats :)
16:31 <james_w> I thought only people that could upload could retry
16:32 <slangasek> I think that's right
16:32 <jcastro> ok so I certainly should not be pushing it.
16:32 <slangasek> jcastro: then maybe you've found a bug in LP

Revision history for this message
Scott Kitterman (kitterman) wrote :

Looks like it's likely due to membership in https://launchpad.net/~ubuntu-drivers. Note the team description says "This team needs a rethink after a discussion about privilege levels in Launchpad". I think that's accurate. This team pulls in a not insignificant number of people who are not Ubuntu developers.

Revision history for this message
William Grant (wgrant) wrote :

This is probably because ~ubuntu-drivers owns the primary archive. This is not excellent.

Revision history for this message
Curtis Hovey (sinzui) wrote : Re: [Bug 677209] Re: I think I have accidental ubuntu archive powers.

On Thu, 2010-11-18 at 22:00 +0000, Scott Kitterman wrote:
> Looks like it's likely due to membership in https://launchpad.net
> /~ubuntu-drivers. Note the team description says "This team needs a
> rethink after a discussion about privilege levels in Launchpad". I
> think that's accurate. This team pulls in a not insignificant number
> of
> people who are not Ubuntu developers.

~ubuntu drivers are not just Ubuntu drivers. The team is the Ubunut
owner.

--
__Curtis C. Hovey_________
http://launchpad.net/

Revision history for this message
Colin Watson (cjwatson) wrote :

To clarify, the retry button does not mean that you have archive administrator powers. This button is available to anyone who can upload the package.

So yes, ubuntu-drivers does have excessive privilege - something we've known for a while. (In the same way, there are a few people in e.g. developer-membership-board who are transitively members of ubuntu-core-dev but who aren't by policy permitted to use it.) Bug 174375 tracks the work to reduce this.

Revision history for this message
William Grant (wgrant) wrote :

The retry button doesn't only appear if one holds archive admin superpowers, but in this case it's appearing because ~ubuntu-drivers owns the primary archive, which gives its members launchpad.Edit, which probably lets them grant themselves upload and queue admin rights.

Revision history for this message
Colin Watson (cjwatson) wrote : Re: [Bug 677209] Re: I think I have accidental ubuntu archive powers.

It does seem odd that ~ubuntu-drivers owns the primary archive. Should
that be ~ubuntu-archive instead?

Revision history for this message
William Grant (wgrant) wrote :

Them or the techboard, probably, yes.

Revision history for this message
Colin Watson (cjwatson) wrote :

I tried to change the owner as follows:

  ubuntu_archive = lp.people['ubuntu-archive']
  for archive in lp.distributions['ubuntu'].archives:
      archive.owner = ubuntu_archive
      archive.lp_save()

... but got ForbiddenAttribute. Tom Haddon tried and got the same thing, so it's evidently not allowed over the API. Is that intentional?

Tom will follow up with the SQL.

Revision history for this message
Tom Haddon (mthaddon) wrote :

I've updated the owner to be "ubuntu-archive" for both the primary and partner archives.

Revision history for this message
Julian Edwards (julian-edwards) wrote :

The owner has been updated to ~ubuntu-archive. Can you test etc. and let us know if this is sufficient.

Revision history for this message
Colin Watson (cjwatson) wrote :

Jorge, could you find a random failing build and see if you still get the retry button? You can use http://qa.ubuntuwire.com/ftbfs/ as a source of failures.

Revision history for this message
Robert Collins (lifeless) wrote : Re: [Bug 677209] Re: I think I have accidental ubuntu archive powers.

Is there a bug for the need to use SQL to make this change? Per policy
we need one.

Revision history for this message
Jorge Castro (jorge) wrote :

Hi Colin,

I tried a few from the FTBFS list and I no longer have this capability, thanks!

Changed in launchpad:
status: New → Fix Released
Revision history for this message
Robert Collins (lifeless) wrote :

I've filed bug 678366 for the need to use SQL.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.