Software Center Agent

Please email store reviewers with changes to classic confinement

Bug #1662218 reported by Jamie Strandboge on 2017-02-06

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Software Center Agent	Fix Released	Medium	Para Siva

Bug Description

The store will currently email store reviewers with changes to 'Approved capabilities'. I'm not sure why, but classic confinement override is in a separate part of the form under 'Approved overrides'. Changes to anything in 'Approved capabilities' results in an email to the store reviewers, but changes to 'Approved overrides' do not. Since classic confinement provides ownership to the device, we need to ensure that store reviewers see these changes too.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2017-02-06:

This isn't a security vulnerability but it is a bug to enhance security, so marking security but making it public.

information type:

Private Security → Public Security

Natalia Bidart (nataliabidart) on 2017-02-08

Changed in software-center-agent:
status:	New → Confirmed
importance:	Undecided → Medium
assignee:	nobody → Daniel Manrique (roadmr)

Natalia Bidart (nataliabidart) on 2017-02-16

Changed in software-center-agent:
assignee:	Daniel Manrique (roadmr) → Para Siva (psivaa)
status:	Confirmed → Triaged

Para Siva (psivaa) on 2017-03-17

Changed in software-center-agent:
status:	Triaged → In Progress

Revision history for this message

Para Siva (psivaa) wrote on 2017-03-20:

Thanks for the bug report.

First, just to be clear, by code inspection and local testing, I do not see any emails being sent on 'Approved capabilities' changes. i,e, on url, '/dev/click-apps/reviewer/package-declarations/<declaration_id>/update/' ((which is corresponding to the 'Approved capabilities' changes)

Emails are however sent on changes to snap name registrations review. i.e. on '/dev/click-apps/reviewer/package-declarations/<declaration_id>/' urls.

Having said that it is possible to add support for sending emails on changes to both 'Approved capabilities' and 'Approved overrides' and will work on that now.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2017-03-20:

I'm not sure where this is located in code, but I get emails all the time of this form:

"
From: Ubuntu Store <email address hidden>
To: ...
Subject: Package declaration update: brave-test
Date: Fri, 10 Mar 2017 14:29:30 -0000 (03/10/2017 08:29:30 AM)

plugs:
slots: {
  "dbus": {
    "deny-auto-connection": "true",
    "allow-connection": {
      "slot-attributes": {
        "name": "org.xflux.gui"
      }
    }
  }
}
auto-aliases:
refresh-control:
Updated by: jdstrand
"

Note that 'plugs', 'slots', 'auto-aliases' and 'refresh-control' are all part of the form under Overview in 'Approved capabilities'. 'classic' is not in this section and instead in 'Approved overrides'. This bug is about making sure emails are sent for changes to 'Approved overrides', not just changes to 'Approved capabilities'.

Revision history for this message

Para Siva (psivaa) wrote on 2017-03-21:

Tanks for the reply. The emails are in fact sent in 'Approved capabilities' change case, contrary to what I said earlier. I had been looking at a different place. Sorry for the noise.

Para Siva (psivaa) on 2017-03-23

Changed in software-center-agent:
status:	In Progress → Fix Committed

Para Siva (psivaa) on 2017-05-11

Changed in software-center-agent:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.