ubuntu-phone team mailing list archive
-
ubuntu-phone team
-
Mailing list archive
-
Message #10523
Re: Problems with review in Click Store
-
To:
ubuntu-phone@xxxxxxxxxxxxxxxxxxx
-
From:
Jamie Strandboge <jamie@xxxxxxxxxxxxx>
-
Date:
Mon, 17 Nov 2014 14:08:45 -0600
-
In-reply-to:
<1416249888.2655.26.camel@blasphemer>
-
User-agent:
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
On 11/17/2014 12:44 PM, Rodney Dawes wrote:
> On Mon, 2014-11-17 at 08:40 -0600, Jamie Strandboge wrote:
>> The review tools are correctly setting this for manual review because adding a
>> provider/qml-plugin to online extends online accounts in a manner that cannot be
>> automatically reviewed and because this code runs in a different security
>> context than the click app.
>>
>> Are you sure you want to add a new provider and qml-plugin for other apps on the
>> system to use? If so, that's ok, but this will require a manual review for each
>> upload. (An alternative would be to work with the online accounts team to try to
>> make your provider and plugin official).
>
> I personally don't mind if they need review, due to additional security
> concerns. I don't think we should try to make every provider an
> "official" provider though in the upstream account-plugins package. It
> would be better to keep that set of providers as small as reasonably
> possible, I think.
>
> However, I think even the "official" providers for Online Acocunts
> should eventually become click packages for each provider. If an
> upstream (Google, AOL, Yahoo, whomever) decides to change what URL the
> OAuth should be grabbed from, or similar, a click package would let us
> have the update out in a matter of minutes. With the providers being
> part of the system image, though, it means we'd have to do all th e
> extra work that comes with building a system image and pushing it out as
> an update to users.
>
> Granted, this hasn't been a big problem for the phone image yet, but
> services breaking authentication schemes has been an issue in the past
> for Pidgin and others.
>
Sure-- and I don't care if it is deb or click. Store policy is such that 3rd
party developers can't ship these without manual review. Canonical or a trusted
partner is able to ship a click with these without manual review, and my
suggestion speaks more to that angle.
--
Jamie Strandboge http://www.ubuntu.com/
Attachment:
signature.asc
Description: OpenPGP digital signature
References
