Launchpad itself

Set Ubuntu dependencies for PPA via API

Bug #776449 reported by Timothy R. Chavez on 2011-05-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Launchpad itself	Fix Released	Critical	Aaron Bentley

Bug Description

OEM needs the ability to programmatically set the Ubuntu dependencies (e.g. basic, security, default, proposed, backports) for PPAs. Currently this is only doable (AFAICT) from the PPA's Edit PPA dependencies web view

Tags:

Related branches

lp:~abentley/launchpad/ppa-api

Merged into lp:launchpad at revision 13204

Graham Binns (community): Approve (code) on 2011-06-07

lp:~abentley/launchpad/ppa-api-errors

Merged into lp:launchpad at revision 13221

Benji York (community): Approve (code) on 2011-06-13

Aaron Bentley (abentley) on 2011-05-03

Changed in launchpad:
status:	New → Triaged
importance:	Undecided → High

Revision history for this message

William Grant (wgrant) wrote on 2011-05-03:

ArchiveDependency is already exported read-only. Making it writable shouldn't be extremely difficult.

Julian Edwards (julian-edwards) on 2011-05-05

tags:

added: api ppa

Timothy R. Chavez (timrchavez) on 2011-05-10

tags:

added: oem-services

Revision history for this message

Francis J. Lacoste (flacoste) wrote on 2011-05-19:

Escalated by Steve Magoun on the stakeholders list.

Changed in launchpad:
importance:	High → Critical
tags:	added: escalated

William Grant (wgrant) on 2011-05-20

tags:

added: not-pie-critical

Aaron Bentley (abentley) on 2011-05-30

Changed in launchpad:
assignee:	nobody → Aaron Bentley (abentley)

Revision history for this message

Launchpad QA Bot (lpqabot) wrote on 2011-06-03:

Fixed in stable r13157 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/13157>.

tags:	added: qa-needstesting
Changed in launchpad:
status:	Triaged → Fix Committed

Aaron Bentley (abentley) on 2011-06-03

tags:

added: qa-ok
removed: qa-needstesting

Revision history for this message

William Grant (wgrant) wrote on 2011-06-03:

This bypasses the browser safeguards that prevent addition of a dependency on arbitrary private PPAs. Normally launchpad.View is checked, but that's clearly not the case here:

>>> lp = Launchpad.login_with('fwefw', 'qastaging', version='devel')
>>> a = lp.me.archive
>>> a.addArchiveDependency(dependency='/~ubuntu-security/+archive/ppa', pocket='Release')
<archive_dependency at https://api.qastaging.launchpad.net/devel/~wgrant/+archive/ppa/+dependency/3017>

tags:

added: qa-bad
removed: qa-ok

Revision history for this message

Aaron Bentley (abentley) wrote on 2011-06-03: Re: [Bug 776449] Re: Set Ubuntu dependencies for PPA via API

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11-06-03 12:57 PM, William Grant wrote:
> This bypasses the browser safeguards that prevent addition of a
> dependency on arbitrary private PPAs. Normally launchpad.View is
> checked, but that's clearly not the case here:
>
>>>> lp = Launchpad.login_with('fwefw', 'qastaging', version='devel')
>>>> a = lp.me.archive
>>>> a.addArchiveDependency(dependency='/~ubuntu-security/+archive/ppa', pocket='Release')
> <archive_dependency at https://api.qastaging.launchpad.net/devel/~wgrant/+archive/ppa/+dependency/3017>

I don't think this is specific to addArchiveDependency:

>>> lp = Launchpad.login_with('fwefw', 'qastaging', version='devel')
>>> print lp.load('/~ubuntu-security/+archive/ppa').description
Private Security Build PPA

Also, I can't find any browser code that checks the appropriateness of
the archive for addArchiveDependency.

So if this is broken, I think we were broken already.

Aaron
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3pOpQACgkQ0F+nu1YWqI2k3QCfUho5tyfrNec1SyOXZZxPqSNz
CBYAn0LHK0KFfbQaMrPpzX+eGn5Sdh6g
=w331
-----END PGP SIGNATURE-----

Revision history for this message

William Grant (wgrant) wrote on 2011-06-04:

On 04/06/11 05:48, Aaron Bentley wrote:
> On 11-06-03 12:57 PM, William Grant wrote:
>> This bypasses the browser safeguards that prevent addition of a
>> dependency on arbitrary private PPAs. Normally launchpad.View is
>> checked, but that's clearly not the case here:
>
>>>>> lp = Launchpad.login_with('fwefw', 'qastaging', version='devel')
>>>>> a = lp.me.archive
>>>>> a.addArchiveDependency(dependency='/~ubuntu-security/+archive/ppa', pocket='Release')
>> <archive_dependency at https://api.qastaging.launchpad.net/devel/~wgrant/+archive/ppa/+dependency/3017>
>
> I don't think this is specific to addArchiveDependency:

Some data about private PPAs is public, so we can show package origin.

>>>> lp = Launchpad.login_with('fwefw', 'qastaging', version='devel')
>>>> print lp.load('/~ubuntu-security/+archive/ppa').description
> Private Security Build PPA
>
> Also, I can't find any browser code that checks the appropriateness of
> the archive for addArchiveDependency.

ArchiveEditDependenciesView.validate() still has the check.

> So if this is broken, I think we were broken already.

We were broken, but I reported it and it was fixed a couple of years ago.

William Grant (wgrant) on 2011-06-06

tags:

added: bad-commit-13157

William Grant (wgrant) on 2011-06-06

Changed in launchpad:
status:	Fix Committed → In Progress

Revision history for this message

Aaron Bentley (abentley) wrote on 2011-06-06:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11-06-03 08:33 PM, William Grant wrote:
> Some data about private PPAs is public, so we can show package origin.

This seems like a disclosure bug. If P3As were un-traversable for
non-privileged users like most of our private objects, I don't think we
would have this issue.

> ArchiveEditDependenciesView.validate() still has the check.

Thanks.

Aaron
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3tCe8ACgkQ0F+nu1YWqI2NFACfa8XHageX+Xvn6k1DjQXJpfDo
wNYAoIK49/25h40QdCSLW62xM7iHfy5O
=zC0Q
-----END PGP SIGNATURE-----

Revision history for this message

William Grant (wgrant) wrote on 2011-06-07:

It is not quite that simple. Packages are frequently copied out of private PPAs into public archives. eg. ppa:ubuntu-security/ppa into the Ubuntu primary archive. It's handy to show the origin in that case.

Revision history for this message

Robert Collins (lifeless) wrote on 2011-06-07:

On Tue, Jun 7, 2011 at 1:14 PM, William Grant <email address hidden> wrote:
> It is not quite that simple. Packages are frequently copied out of
> private PPAs into public archives. eg. ppa:ubuntu-security/ppa into the
> Ubuntu primary archive. It's handy to show the origin in that case.

mmmm - this sounds surprising, and hard for users to reason about.

Revision history for this message

Launchpad QA Bot (lpqabot) wrote on 2011-06-11:

#10

Fixed in stable r13204 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/13204>.

tags:	added: qa-needstesting removed: qa-bad
Changed in launchpad:
status:	In Progress → Fix Committed

Revision history for this message

Julian Edwards (julian-edwards) wrote on 2011-06-13:

#11

On Tuesday 07 June 2011 05:04:14 you wrote:
> mmmm - this sounds surprising, and hard for users to reason about.

The previously private package is now public. What's hard to understand? :)

Aaron Bentley (abentley) on 2011-06-13

tags:

added: qa-bad
removed: qa-needstesting

Revision history for this message

William Grant (wgrant) wrote on 2011-06-14:

#12

Seems fine except for the fix in https://code.launchpad.net/~abentley/launchpad/ppa-api-errors/+merge/64425, which I don't think should block deployment.

tags:

added: qa-ok
removed: qa-bad

William Grant (wgrant) on 2011-06-14

Changed in launchpad:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.