Are we making sure that submission does not require a token? I would think that just updating metadata or cancelling tickets requires auth, no?
I ask because this would be a divergence from dput, where all you need is a signed package to make a successful submission (bogus submissions can be dumped asynchronously server-side). I'm assuming we can prevent spoofing by checking that the provided signature is from the key for the user specified in LP. Does implementing the frontend submission service make any of this easier? https://app.asana.com/0/14737058697498/ -- Mailing list: https://launchpad.net/~canonical-ci-engineering Post to : [email protected] Unsubscribe : https://launchpad.net/~canonical-ci-engineering More help : https://help.launchpad.net/ListHelp
