← Back to team overview

ubuntu-appstore-developers team mailing list archive

Re: Scanning packages on upload

 

Hi James,

On 13-07-25 06:46 PM, James Westby wrote:
> Hi,
> 
> Now that the skeleton of the server side is in place, Martin has asked
> me to start looking at one of the next topics, scanning click packages
> on upload for automated checks (and probably extracting information so
> the developer doesn't have to enter it).
> 
> Already in SCA we have a system to pass off uploaded tarballs for
> automated packaging (pkgme). I think that this could largely be re-used,
> just changing the task that is being run to do click-related tasks.
> 
> It works by making an API call to another service on each upload. This
> service retrieves the file, scans it, and then makes a callback request
> with the output. I think it would be pretty straightforward to adapt
> this to work for click packages too.
> 
> The main question in my mind is how the scanning would fit in to the
> workflow. For example should the developer upload the file, and then
> wait for the scanning before entering the rest of the information?
> Should the scanning come after and the results be presented to the
> reviewers? Perhaps both for different checks.
> 

Probably both. It would be nice to immediately notify the developer that he
uploaded a picture of his cat instead of a proper package, but some of the
security checks we would like to add would simply notify the reviewer that the
package needs additional inspection.

Marc.




References