Ubuntu
qtcreator package

  1. Bug #1215133
  2. Comment #0

Comment 0 for bug 1215133

Revision history for this message
Jamie Strandboge (jdstrand) wrote : application name verification is too lenient

Currently qtcreator allows people to name their projects with an underscore. This name is used to fill in various parts of the manifest which are then used to generate click packages, etc. click packages, apparmor and the application lifecycle have the concept of an APP_ID. When you install a click package an APP_ID is assigned in the form of $pkgname_$app_$version where $pkgname is com.ubuntu.developer.<userid>.$appname (note, $app and $appname are often the same, but may be different when in the future we support multiple desktop files per click package). The underscore is a delimiter for the APP_ID and therefore must not be allowed in $pkgname, $app or $version.

To illustrate, consider the following manifest:
{
    "framework": "ubuntu-sdk-13.10",
    "hooks": {
        "untitled17": {
            "apparmor": "untitled17.json",
            "desktop": "untitled17.desktop"
        }
    },
    "maintainer": "Jamie Strandboge <email address hidden>",
    "name": "com.ubuntu.developer.jdstrand.untitled17",
    "title": "",
    "description": "",
    "version": "0.1"
}

The APP_ID for the above is: com.ubuntu.developer.jdstrand.untitled17_untitled17_0.1. The APP_ID is derived based on the 'name' , hooks dictionary key(s) and the version from the click manifest. The apparmor hook looks at these manifest fields to generate a profile name and policy while the desktop hook looks at them to generate a desktop file. Unity will look at these fields to derive an APP_ID to launch applications in compliance with application lifecycle and application lifecycle.

I didn't verify qtcreator's input validation except to see that it allows '_', but here are regular expressions that validate each part:
 * manifest 'name': ^[a-z0-9][a-z0-9+.-]+$
 * manifest 'version': ^((\d+):)?([A-Za-z0-9.+:~-]+?)(-([A-Za-z0-9+.~]+))?$
 * manifest 'hooks keys': ^[A-Za-z0-9+-.:~-]+$

The allowed characters are based on (which references Debian policy):
http://bazaar.launchpad.net/~click-hackers/click/trunk/view/head:/doc/file-format.rst
http://bazaar.launchpad.net/~click-hackers/click/trunk/view/head:/doc/hooks.rst

Note that the click documentation states that the name should only be the allowable characters for Debian Source packages (which is what the above regex enforces), but click is currently lenient and seems to allow [A-Z] (ie, ^[A-Za-z0-9][A-Za-z0-9\+\-\.]+$). I'm not sure this is a bug in click or a feature (please talk to cjwatson for clarification). The review process currently enforces click documented behavior.