UEFI copies within same archive shouldn't require re-approval
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
Triaged
|
Low
|
Colin Watson | ||
Bug Description
In bug 1016594, it was required that uploads to the primary archive containing a UEFI image tarball should never be auto-approved, in order to allow us to preserve a reasonably Ubuntu-ish upload permissions model without making it trivial for anyone with even the narrowest per-package upload rights to get an arbitrary binary signed with the Canonical UEFI key.
However, this was slightly over the top in that it also affects copies within the same archive. For example, if we publish a security update to GRUB, that will be copied to quantal-updates and the copy must be independently approved, even though the same binary has already been signed with the Canonical key. Similarly, when we opened raring, several UEFI copies landed in the unapproved queue which had already been signed and could have been auto-approved. It'd be nice to eliminate this unnecessary manual work.
Related branches
- Curtis Hovey (community): Approve (code)
-
Diff: 179 lines (+46/-47)2 files modifiedlib/lp/soyuz/scripts/custom_uploads_copier.py (+5/-4)
lib/lp/soyuz/scripts/tests/test_custom_uploads_copier.py (+41/-43)
| Changed in launchpad: | |
| importance: | Undecided → Low |
| assignee: | nobody → Colin Watson (cjwatson) |
| status: | New → In Progress |
| Launchpad QA Bot (lpqabot) wrote | #1 |
| tags: | added: qa-needstesting |
| Changed in launchpad: | |
| status: | In Progress → Fix Committed |
| Colin Watson (cjwatson) wrote | #2 |
| Changed in launchpad: | |
| status: | Fix Committed → In Progress |
| tags: |
added: qa-ok removed: qa-needstesting |
| tags: | added: uefi |
| tags: | added: package-copies |
| Changed in launchpad: | |
| status: | In Progress → Triaged |
Fixed in stable r16176 <http://