-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
While fixing bug #365098 (allowing package uploaders to set official source package branch), we hit a regression with the importer bug #797088. I have a fix for the regression, but I'd like to confirm the requirements around that piece to make sure that it's the end of the story. Basically, the fix ignores the pocket argument to setBranch. If the user has archive permission to upload the source package, he's allowed to set the official branch. Now, that means that any uploader (who has permission through the archive permissions) would be able to set an official package branch in the release pocket on SUPPORTED or CURRENT series. They couldn't upload a package there though. Is that a problem? Some argued that setting the official package branch is the logicial equivalent of an upload. Since I think we are shying away from automatic builds, I'm not sure this argument stands. In which case, that's more a kind of meta-data gardening which might not be a problem. Also, if we'd want to restrict this, we would have to model a 'package-importer' role on the distribution since it seems that the package-importer should have that permission regardless of the states of pocket, because it does garden historical meta-data. Thanks for your opinion on this. - -- Francis J. Lacoste [email protected] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk35LwAACgkQM2AFUiyz+TfTewCgvGEitJ+4lcQwqRaWJaixDnrF L6EAoLd9JeuAGYeLm0QfGbx5paNaadqa =2MEU -----END PGP SIGNATURE----- -- technical-board mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/technical-board
