ubuntu-appstore-developers team mailing list archive

Thread
Date

End to end experience - SDK to Device

To: Ubuntu Appstore Developers <ubuntu-appstore-developers@xxxxxxxxxxxxxxxxxxx>
From: Jamie Strandboge <jamie@xxxxxxxxxxxxx>
Date: Wed, 11 Sep 2013 14:38:38 -0500
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8

Hi!

I wanted to go through the process of writing a real app, registering as a
developer, publishing the app in the app store and then downloading it via the
Dash on a device, so I did just that, and it all worked great! :)

As mentioned, the experience went very well and there weren't any bugs that
weren't already filed that I saw (why is it that I always seem to need C++ code
for stuff I want to do?), but I did want to bring up a couple of things:

 * When registering as a developer, I was asked to enter my PayPal account
   email address. Two things:
   - I wasn't actually charged anything, but I thought we were going to reqire
     app developers to pay some modest registration fee (eg, $1 or less). What
     is the status of this? I feel it is an important, though admittedly
     imperfect, tool to link a developer to a human
   - Will we allow other forms of payment besides PayPal?
 * I uploaded an armhf binary (due to a local C++ extension) and was told that
   "not a valid architecture: armhf". I was aware of this before uploading but
   I was wondering what the current status of this is-- click build put the
   architecture in DEBIAN/control as 'armhf'. Is this valid for the appstore
   now or should we waive these through for now and just wait for fat
   packages?
 * My app was accepted even though it required special attention due to red
   flagged permissions.

Now, to be fair, I removed permissions that are normally granted and
preemptively justified why these particular permissions were required. Perhaps
it was my compelling argument in my upload comment for the reviewer or perhaps
being a member of the security team helped me. ;) Joking aside, I'd like to take
this opportunity to reinforce that apps should be using the 'common' policy
groups. If the review tools complain about red-flagged security permissions or
use of 'reserved' policy groups, please contact a member of the security team
for the time being (probably me since I am also a member of the review team, but
any of us will do)-- there might be things that are lacking in our confinement
that are worth review, bugs we need to fix in our policy, or the requested
permissions are simply too permissive.

On a related note-- I was wondering about how the appstore detects changes? I'm
thinking about my app's special permissions and maybe if on my next upload the
appstore/review process could somehow take into accounts whether the permissions
changed or not. Looking at:
https://myapps.developer.ubuntu.com/dev/click-apps/reviewer/

it seems there is some change detection-- but to know about security
permissions, it would require examining the click package which AIUI is not
currently supported. I have some ideas on a clickdiff tool that might be of use
here.

-- 
Jamie Strandboge                 http://www.ubuntu.com/

Attachment: signature.asc
Description: OpenPGP digital signature

Follow ups

Re: End to end experience - SDK to Device
From: Martin Albisetti, 2013-09-12