Launchpad itself

revisit official package branch permissions

Bug #516709 reported by Robert Collins
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Triaged
High
Unassigned
Ubuntu Distributed Development
Invalid
Medium
Unassigned

Bug Description

official package branch permissions are the union of the owner and the distro permissions; however per-user upload rights are not modelled via the owner, so this leads to an unobvious security issue when we start doing official distro-builds-from-branches.

We should either:
 - make the owner the 'per user upload right' modelling. That is, have a synthetic team 'package-X uploaders' which lists all the people that can upload, and becomes the branch owner.
 - remove the owners permissons while a branch is official (so they can write IFF they have upload rights)
 - do something else to make it crystal clear to Ubuntu developers who will be able to upload to the archive.

See original description

Related branches

lp://staging/~jml/launchpad/owner-cannot-write-to-official-branch-516709
Rejected for merging into lp://staging/launchpad
Canonical Launchpad Engineering: Pending requested
Diff: 44 lines (+9/-15)
1 file modified
lib/canonical/launchpad/security.py (+9/-15)
Revision history for this message
Robert Collins (lifeless) wrote :

Added soyuz as thats where this work needs to take place. I don't know if they'll agree on priority, so not setting for now. However this is pretty important.

Julian Edwards (julian-edwards)
Changed in soyuz:
status: New → Invalid
Robert Collins (lifeless)
description: updated
Revision history for this message
Julian Edwards (julian-edwards) wrote :

I can't see what Soyuz needs to do here, it already provides an API to determine upload permissions.

Revision history for this message
Robert Collins (lifeless) wrote :

21:56 < jml> lifeless, fwiw, the place to change this in LP is lib/canonical/launchpad/security.py, "EditBranch" class.

Revision history for this message
Robert Collins (lifeless) wrote :

Moving the additional task to launchpad-code, bigjools says soyuz completely supports the queries needed to make writes to a branch enforce upload checks now.

affects: soyuz → launchpad-code
Changed in launchpad-code:
status: Invalid → New
Revision history for this message
Tim Penhey (thumper) wrote : Re: [Bug 516709] Re: revisit official package branch permissions

On Tue, 29 Jun 2010 00:02:47 you wrote:
> Moving the additional task to launchpad-code, bigjools says soyuz
> completely supports the queries needed to make writes to a branch
> enforce upload checks now.

I'm pretty sure that the code side of things has done this from the time that
soyuz was updated. How can we tell?

Revision history for this message
Robert Collins (lifeless) wrote :

We can tell by:
- getting a branch owned by someone like you or me (me if its a
package in main - I can upload to universe ;))
- make it the official branch for a package
- see if the owner can push content to it.

Revision history for this message
James Westby (james-w) wrote :

On Tue, 29 Jun 2010 00:49:07 -0000, Tim Penhey <email address hidden> wrote:
> On Tue, 29 Jun 2010 00:02:47 you wrote:
> > Moving the additional task to launchpad-code, bigjools says soyuz
> > completely supports the queries needed to make writes to a branch
> > enforce upload checks now.
>
> I'm pretty sure that the code side of things has done this from the time that
> soyuz was updated. How can we tell?

Code uses these checks, but unions the result with the existing branch
permissions.

Thanks,

James

Revision history for this message
Jonathan Lange (jml) wrote :

This diff shows, roughly speaking, how it could be done.

There are usability consequences that would need to be addressed at the same time. For example, once a branch has been made official for one package/distro, it becomes unwritable by its owner. This is unsurprising. Similarly, when looking at a branch that one owns but cannot write to, there needs to be some sort of clear indication. None of these are addressed in the patch.

Also, I hope this breaks some tests, but I don't really know.

Aaron Bentley (abentley)
Changed in launchpad-code:
importance: Undecided → Medium
status: New → Triaged
James Westby (james-w)
Changed in udd:
status: New → Triaged
tags: added: launchpad
Revision history for this message
Jonathan Lange (jml) wrote :

I just looked at this bug again, and I can't tell what the actual problem is.

Revision history for this message
Martin Pool (mbp) wrote :

I think the description is saying that I can have lp:~mbp/ubuntu/natty/foo be marked as the official branch for foo, and then I'll be able to upload even if I would not normally be able to upload into Ubuntu. jml's branch would fix that but the usability issues in <https://bugs.launchpad.net/udd/+bug/516709/comments/8> still seem to be true.

What this bug seems to be lacking is a statement from someone authoritative for Ubuntu that that is actually the behaviour they want. It seems reasonable to me though.

If all access to these branches is guarded by upload rules, perhaps it no longer makes sense for them to have a user-visible owner or for existing branches to be repurposed as official branches?

Revision history for this message
Jonathan Lange (jml) wrote :

Also lacking is *why* that's a problem. I can make up some reasons as to why I think it might be, but I'd rather hear from someone more informed.

Revision history for this message
Martin Pool (mbp) wrote :

I asked on the udd ilst ("rfc: permissions on package branches"). Until they say a change in behaviour is actually important, I think we can leave this at medium. I don't think any changes will be needed in the udd importer for this. (We're now using lp:udd more specifically for that, rather than the overall project.)

Changed in udd:
importance: Critical → Medium
status: Triaged → Invalid
Revision history for this message
Robert Collins (lifeless) wrote :

The why is simple: *only* folk that are specified as uploaders by Ubuntu are permitted to upload code to Ubuntu; granting write access to branches that the distro intends to be able to build from would permit a backdoor.

Changed in launchpad:
importance: Medium → High
Revision history for this message
Martin Pool (mbp) wrote :

I don't think there's actually a security problem here unless arbitrary people can make their branches become the official branches, and I don't think that's currently possible. Or is it?

The thread[1] discusses various possibilities but the short story seems to be that we will take away the possibility for branches owned by arbitrary users to be official branches. One way to do that would be to only allow the series owner (eg ~techboard) to mark a branch as official if the series owner owns the branch.

[1] <https://lists.ubuntu.com/archives/ubuntu-distributed-devel/2011-February/000726.html>

Revision history for this message
Robert Collins (lifeless) wrote :

On Wed, Mar 2, 2011 at 9:07 PM, Martin Pool <email address hidden> wrote:
> I don't think there's actually a security problem here unless arbitrary
> people can make their branches become the official branches, and I don't
> think that's currently possible.  Or is it?

the ability for a disconnect to exist is a severe security problem,
and suggesting people be careful won't fly with our stakeholders for
Ubuntu.

Revision history for this message
Martin Pool (mbp) wrote :

Talking this over with Robert, if I understand correctly he is suggesting:

* put in something like jml's patch, so owners lose access when their branch is blessed
* perhaps do minimal fixes in the web ui to show who has access

then later:

* get away from blessing existing branches, and instead have a namespace that is just "natively" within the distro and subject to those access rules

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.