ubuntu-phone team mailing list archive

[Jamie Strandboge <jamie@xxxxxxxxxxxxx>]

On 09/17/2015 05:53 AM, Alberto Mardegan wrote:
> On 09/16/2015 07:32 PM, Jamie Strandboge wrote:
>> Note that this landing was uncoordinated with the security team (I
>> just now heard about it). There is no security policy for 15.10 on
>> the device at the moment so targeting a 15.10 framework in an app
>> won't work on a 15.04 device.
> 
> I tried to modify the reminders-app to use the new account APIs in
> 15.10-dev1, but the application won't start.
> I suspect that this has something to do with this:
> ========
> phablet@ubuntu-phablet:~$ sudo aa-clickhook
> ERROR: Could not find framework for
> 'com.ubuntu.reminders_pushHelper_0.5.496.json'. Skipping
> ERROR: Could not find framework for
> 'com.ubuntu.reminders_reminders_0.5.496.json'. Skipping
> ========
> 
> Are these errors caused by the missing security policy, as you wrote
> above?
> 
Yes and there needs to be a click-apparmor change. This will unfortunately
trigger the time consuming rebuild of policy on the devices. I'm not sure about
the store interactions (ie, will an app using the 15.10 framework install on a
15.04 device with the 15.10 framework?), though I have a feeling it will work
fine. It is possible the sdk will have to be updated to handle the differently
versioned security policy (it will be 15.10, not 1.4).

I think we need to improve our processes for updating frameworks-- we don't do
it often, but when we do they are too often uncoordinated across teams.

> Anyway, how to proceed? I'm not very fond of backporting the changes
> to the 15.04 framework, because we shouldn't modify a framework after
> having released it (save for bugfixes).

Yet we've done this a lot already-- but mostly for bug fixes and new
functionality (ie, not breaks to existing functionality). I think the way to
proceed is get the new policy on the devices (but shipping newer security policy
on old userspace breaks some agreed to assumptions that the security policy
consider. Have I mentioned it would have been nice to coordinate this ahead of
time? :) I've filed a bug[1] to track this work, but it won't be able to land
until next week at the earliest.

> What if an application starts
> using the new Online Accounts APIs in 15.04, and a user installs it in
> one device which has the 15.04 framework, but not updated to the
> latest OTAs? If one has the original 15.04 framework, applications
> using the new Online Accounts API would not work there.

This is a sore point in backporting functionality to the devices-- phased
updates and people not updating mean that developers have a weird choice on when
to pull the trigger on new functionality in their app. This happened with
'keep-display-on' and I feel like at least one other feature. With online
accounts, it might make sense to wait on advertising the feature until all the
bits are fully phased.

[1]https://launchpad.net/bugs/1496880

-- 
Jamie Strandboge                 http://www.ubuntu.com/

Attachment: signature.asc
Description: OpenPGP digital signature