Launchpad itself

"Available diffs" are not accessible when publishing private packages via copyPackage()

Bug #1023986 reported by Jamie Strandboge
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
Low
Colin Watson

Bug Description

I published two security updates yesterday: rhythmbox and qt4-x11.

Rhythmbox used syncSource api and seems to have worked fine (diff from 2.90.1~20110908-0ubuntu1 (in Ubuntu) to 2.90.1~20110908-0ubuntu1.4):
https://launchpad.net/ubuntu/+source/rhythmbox/2.90.1~20110908-0ubuntu1.4
http://launchpadlibrarian.net/109846758/rhythmbox_2.90.1~20110908-0ubuntu1_2.90.1~20110908-0ubuntu1.4.diff.gz

qt4-x11 used copyPackage api and did not (diff from 4:4.6.2-0ubuntu5.3 (in Ubuntu) to 4:4.6.2-0ubuntu5.4):
https://launchpad.net/ubuntu/+source/qt4-x11/4:4.6.2-0ubuntu5.4
http://www.lplibrarian-private-download.internal:8000/109860161/qt4-x11_4%3A4.6.2-0ubuntu5.3_4%3A4.6.2-0ubuntu5.4.diff.gz

Interestingly, this one did work (diff from 4:4.6.2-0ubuntu5 (in Ubuntu) to 4:4.6.2-0ubuntu5.4):
http://launchpadlibrarian.net/109858500/qt4-x11_4%3A4.6.2-0ubuntu5_4%3A4.6.2-0ubuntu5.4.diff.gz

Additionally, mdeslaur published puppet today using syncSource and it seems to work fine (diff from 2.6.4-2ubuntu2.9 to 2.6.4-2ubuntu2.10):
https://launchpad.net/ubuntu/+source/puppet/2.6.4-2ubuntu2.10
http://launchpadlibrarian.net/109919228/puppet_2.6.4-2ubuntu2.9_2.6.4-2ubuntu2.10.diff.gz

See original description
Tags: qa-ok

Related branches

lp:~cjwatson/launchpad/fix-packagediff-private
Brad Crittenden (community): Approve (code)
Diff: 96 lines (+27/-6)
4 files modified
lib/lp/soyuz/doc/package-diff.txt (+1/-1)
lib/lp/soyuz/model/packagediff.py (+3/-2)
lib/lp/soyuz/tests/soyuz.py (+2/-1)
lib/lp/soyuz/tests/test_packagediff.py (+21/-2)
Revision history for this message
Colin Watson (cjwatson) wrote :

update_files_privacy indeed doesn't touch PackageDiffs.

qt4-x11 4:4.6.2-0ubuntu5.3 was originally in the security PPA, and was copied into lucid-security. When the copy happened, a new diff was requested (thinking for some reason that the ancestry was 4:4.6.2-0ubuntu5). We would need to be a little careful here to avoid leaks: we can only make the diff public if it's against an SPR that is published in a public archive. Otherwise I guess we should simply delete it.

Jamie Strandboge (jdstrand)
description: updated
Revision history for this message
Colin Watson (cjwatson) wrote :

Actually, I may be confused. Copying source packages is supposed to publicise their diffs:

        # Re-upload the package diff files if necessary.
        package_files.extend(
            [(diff, 'diff_content')
             for diff in sourcepackagerelease.package_diffs])

Revision history for this message
Colin Watson (cjwatson) wrote :

I suspect (without proof) that update_files_privacy is working fine, and that this is actually the fault of the new diff requested by PCJ.attemptCopy. I note that delayed copies don't bother to request a new diff for the copy target, and syncSource is using delayed copies in this case; moreover, we can see a bug caused by delayed copies not doing so, in that the new rhythmbox SPR ought to have a diff against 2.90.1~20110908-0ubuntu1.3 and doesn't, so the correct fix is to fix this new diff and not to remove it. See also bug 294886.

Revision history for this message
Colin Watson (cjwatson) wrote :

Ah, I think I may see the problem. PackageDiff.private looks at the privacy of its SPR's upload_archive. Compare with lib/lp/security.py:ViewSourcePackageRelease, which considers an SPR to be public if any of the archives it's published in are public.

Revision history for this message
Colin Watson (cjwatson) wrote :

Ah, I think I may see the problem. PackageDiff.private looks at the privacy of its SPR's upload_archive. Compare with lib/lp/security.py:ViewSourcePackageRelease, which considers an SPR to be public if any of the archives it's published in are public.

So, if this is correct, it has nothing to do with copying as such; rather, the bug is that any diff generated against a source package originally uploaded to a private archive is itself private.

Colin Watson (cjwatson)
Changed in launchpad:
status: New → In Progress
importance: Undecided → Low
assignee: nobody → Colin Watson (cjwatson)
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

Fixed in stable r15627 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/15627>.

tags: added: qa-needstesting
Changed in launchpad:
status: In Progress → Fix Committed
Colin Watson (cjwatson)
tags: added: qa-ok
removed: qa-needstesting
Martin Packman (gz)
Changed in launchpad:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.