ubuntu-appstore-developers team mailing list archive

[Martin Albisetti <martin.albisetti@xxxxxxxxxxxxx>]

On Wed, Sep 11, 2013 at 4:38 PM, Jamie Strandboge <jamie@xxxxxxxxxxxxx> wrote:
>  * When registering as a developer, I was asked to enter my PayPal account
>    email address. Two things:
>    - I wasn't actually charged anything, but I thought we were going to reqire
>      app developers to pay some modest registration fee (eg, $1 or less). What
>      is the status of this? I feel it is an important, though admittedly
>      imperfect, tool to link a developer to a human

Actually, that's currently in place to verify that we can somehow pay
you. It's inherited from the old MyApps. We're going to review it as
part of introducing purchasing of click apps.


>    - Will we allow other forms of payment besides PayPal?

Yes, we support most credit cards and PayPal.


>  * I uploaded an armhf binary (due to a local C++ extension) and was told that
>    "not a valid architecture: armhf". I was aware of this before uploading but
>    I was wondering what the current status of this is-- click build put the
>    architecture in DEBIAN/control as 'armhf'. Is this valid for the appstore
>    now or should we waive these through for now and just wait for fat
>    packages?

Right, so I think that we agreed that what we'd do is that packages
would declare what architectures they support in the manifest, and
that we'd only require fat packages when you had more than one
architecture.
The server and client filtering hasn't landed yet, but I think it's ok
to land armhf for now.


>  * My app was accepted even though it required special attention due to red
>    flagged permissions.
>
> Now, to be fair, I removed permissions that are normally granted and
> preemptively justified why these particular permissions were required. Perhaps
> it was my compelling argument in my upload comment for the reviewer or perhaps
> being a member of the security team helped me. ;) Joking aside, I'd like to take
> this opportunity to reinforce that apps should be using the 'common' policy
> groups. If the review tools complain about red-flagged security permissions or
> use of 'reserved' policy groups, please contact a member of the security team
> for the time being (probably me since I am also a member of the review team, but
> any of us will do)-- there might be things that are lacking in our confinement
> that are worth review, bugs we need to fix in our policy, or the requested
> permissions are simply too permissive.

Right. I reviewed the app and was going to ping you about those extra
permissions until I saw who the author was  ;)
I have been bouncing any other app that requests non-standard permissions.


> On a related note-- I was wondering about how the appstore detects changes? I'm
> thinking about my app's special permissions and maybe if on my next upload the
> appstore/review process could somehow take into accounts whether the permissions
> changed or not. Looking at:
> https://myapps.developer.ubuntu.com/dev/click-apps/reviewer/
>
> it seems there is some change detection-- but to know about security
> permissions, it would require examining the click package which AIUI is not
> currently supported. I have some ideas on a clickdiff tool that might be of use
> here.

Right, I've been pasting in the reviewer comments the output of the
review script so the next reviewer has context. We'll need to have
something more structured when we scan packages, obviously.


-- 
Martin