-
click-reviewers-tools (0.44~16.04.1) xenial-proposed; urgency=medium
[ Jamie Strandboge ]
* data/apparmor-easyprof-ubuntu.json:
- add pulseaudio interface
- add bluetooth policy group for Touch for 15.04 and higher
- add location-observe and location-control
- move all core interfaces to 'common'
- add gsettings interface
- set home to auto-approve
- add mpris interface
- add camera interface
- add optical-drive interface
- add serial-port interface
- add content interface
* clickreviews/common.py:
- don't fail on libmvec.so since it comes from libc6 too (LP: #1584346)
- extend the regex to also match ld-linux-x86-64.so.2
* sr_common.py:
- update _verify_pkgname() and _verify_appname() to use the same regex as
in snapd and various tests
- update attributes to be slots or plugs side and cleanup code for
specifying attributes
* bin/click-review, clickreviews/modules.py: exit '1' if error with
init_object or running checks
* sr_lint.py:
- support 'environment' key in yaml (LP: #1583259)
- support 'confinement' key in yaml
* sr_security.py:
- specifying mpris slot should not warn
- adjust profile name length checks to use series 16 security label format
* run_tests: exit non-zero with failures, errors or unexpectedSuccesses
* cr_lint.py:
- 'puritine' is a known, but redflagged hook
- skip external symlinks and md5sums checks for puritine (since we expect
external symlinks and the hash checks fail on broken symlinks)
- 'puritine' hook should not be used with 'apparmor'
* clickreviews/apparmor_policy.py: adjust for rename of store team
(LP: #1608943)
[ Celso Providelo ]
* support for interface abbreviated syntax (LP: #1595184)
-- Jamie Strandboge <email address hidden> Tue, 02 Aug 2016 08:43:31 -0500
-
click-reviewers-tools (0.43~14.04.1) xenial-proposed; urgency=medium
[ Jamie Strandboge ]
* sr_lint.py:
- kernel snaps may have external symlinks
- handle top-level plugs and slots with yaml data as 'null' (LP: #1579201)
- add epoch checks (LP: #1583298)
- .pyc are arch-independent, so don't complain about them
- add confinement checks (LP: #1580819)
* data/apparmor-easyprof-ubuntu.json:
- add opengl interface as 'common' (LP: #1572140)
- add reserved bluez, network-manager and location-observe interfaces
* sr_security.py:
- remove last reference to 'cap'
- turn resquash test into info for now until the squashfs-tools bugs are
fixed and this is a reliable check
* when 'confinement' is 'devmode', override the result type to 'info'
- common.py: add override_result_type to allow in support of 'confinement'
overrides
- sr_common.py: add _devmode_override()
- sr_security.py: use override_result_type if in devmode
- LP: #1584231
-- Jamie Strandboge <email address hidden> Fri, 20 May 2016 16:06:55 -0500
-
click-reviewers-tools (0.42) xenial; urgency=medium
* add test to verify snapd-control is reserved
* sr_lint.py: implement interface slots checks
* sr_security.py: implement interface slots checks (force manual review for
now when specifying slots)
* debian/links: create snap-review symlink to click-review
-- Jamie Strandboge <email address hidden> Thu, 21 Apr 2016 09:10:27 -0500
-
click-reviewers-tools (0.41) xenial; urgency=medium
* sr_lint.py: verify key name in the apps dictionary (LP: #1570914)
-- Jamie Strandboge <email address hidden> Fri, 15 Apr 2016 10:24:17 -0500
-
click-reviewers-tools (0.40) xenial; urgency=medium
* sr_lint.py: ppc64el and s390x are valid architectures
* add bool-file interface tests
* remove obsoleted old-security interface checks
* properly handle app 'plugs' without toplevel 'plugs' (LP: #1569226)
* implement native plugs and app plugs checks
-- Jamie Strandboge <email address hidden> Wed, 13 Apr 2016 15:19:47 -0500
-
click-reviewers-tools (0.39) xenial; urgency=medium
* bin/click-review:
- exit 1 if fatal error, 2 if found errors/warnings and 3 if found
warnings (LP: #1523255)
- make help output more verbose (including return codes)
- add overrides as optional positional argument
* [cs]r_lint.py: change the order of the checks so that an obsolete or
deprecated in the override takes precedence over 'available'
* migrate from skills to interfaces (LP: #1549427)
* sr_security.py:
- improve requash failure error message
- short-circuit if squashfs has symlinks (LP: 1555305)
- os snap is not built with -all-root, ignore checksum mismatch
* cr_security.py: webapps may now use camera, microphone and connectivity
* sr_lint.py:
- adjust for stop -> stop-command and poststop -> post-stop-command
- make unknown field warning for apps more clear
- normalize path specified in snap.yaml for command
* remove type framework, frameworks and bus-name checks since frameworks
aren't supported on 16.04 (LP: #1557126)
* debian/control: Build-Depends on pyflakes3 instead of pyflakes
-- Jamie Strandboge <email address hidden> Tue, 22 Mar 2016 10:37:09 -0500
-
click-reviewers-tools (0.38) xenial; urgency=medium
* sr_security.py: add check_squashfs_resquash()
-- Jamie Strandboge <email address hidden> Fri, 26 Feb 2016 08:41:28 -0600
-
click-reviewers-tools (0.37) xenial; urgency=medium
[ Jamie Strandboge ]
* cr_lint.py: 'accounts' hook was added in 15.04.1. The other checks are
already in place since r553 which missed this addition
* refactor and make less click-centric such that click and snap v1 tests
use existing scripts and snap v2 will use new scripts. The cr_* tests have
16.04 checks removed (since this simplifies them and this code won't be
run any way)
* add bin/detect-package and detect_package()
* rename unpack-click as unpack-package
* add snap v2 lint checks (LP: #1532842)
* add snap v2 security checks
* squashfs snaps no longer require manual review
* debian/control: bump squashfs-tools to Depends and add to Build-Depends
[ James Tait ]
* cr_lint.py: Don't check for the presence of readme.md if the package is a
squashfs filesystem. Snappy 2.0 uses squashfs as its file format, and
doesn't require readme.md.
-- Jamie Strandboge <email address hidden> Mon, 22 Feb 2016 16:41:14 -0600
-
click-reviewers-tools (0.36) xenial; urgency=medium
[ Daniel Holbach ]
* Add check if suspected (using python-magic) compiled binaries
aren't actually just message catalogs (.mo files) (LP: #1530894).
[ Martin Albisetti ]
* add gadget type
[ Michael Vogt ]
* Merge partial support for snap.yaml in 16.04
-- Jamie Strandboge <email address hidden> Mon, 01 Feb 2016 11:37:35 -0600
-
click-reviewers-tools (0.35.1) xenial; urgency=medium
* No change rebuild for newer python3
-- Jamie Strandboge <email address hidden> Mon, 01 Feb 2016 10:07:35 -0600
-
click-reviewers-tools (0.35) xenial; urgency=medium
[ Jamie Strandboge ]
* clickreviews/cr_systemd.py:
- add checks for listen-stream, socket, socket-user and socket-group
- remove vendor checks with bus-name (LP: #1510522)
* clickreviews/cr_security.py:
- make sure that the generated profile name is under the current 253
character maximum. This might have to be adjusted after the AppArmor
stacking work is completed (LP: #1499544)
- adjust for xenial snappy defaulting to using 'network-client' instead
of 'networking'
- use 'NEEDS REVIEW' instead of 'MANUAL REVIEW'
* clickreviews/cr_lint.py:
- check if package ships .click directory
- add a few more vcs files
- remove vendor-specific checks. 'vendor' is still allowed for
compatibility with older snappy versions, but no formatting checks are
performed (LP: #1510522)
- 'Maintainer' checks in the click manifest should only be done with click
packages (LP: #1510522)
- don't prompt manual review when find .excludes file
- add kernel and os as valid snap types
- remove package filename checks. They were meaningless and hard to
maintain
- sort unknown snappy yaml keys
- use 'NEEDS REVIEW' instead of 'MANUAL REVIEW'
* clickreviews/cr_common.py:
- add valid yaml keys for kernel snaps
- add a couple more mime types for detecting binaries (useful for arm
kernels)
* update data/apparmor-easyprof-ubuntu.json for 16.04 policy
* Makefile: add json syntax check
* several changes for squashfs snaps that won't have a click manifest, etc.
Importantly, this means that only package.yaml is looked at and a lot of
click specific tests can be skipped
- cr_common.py:
+ rename a few variable to not be click specific
+ add self.pkgfmt
+ adjust __init__() to conditionally use package.yaml on squashfs,
otherwise click manifest
+ make click data structure initialization conditional on if click
or not (eg, don't run hooks code on squashfs images)
- adjust clickreviews/cr_* to conditionally run certain click-only tests
on click packages
- adjust architecture checks to use self.pkg_arch and rename
control_architecture_specified_needed as architecture_specified_needed
- cr_security.py:
+ revamp to use package.yaml on non-click instead of now nonexistent
security manifest
+ update push-helper template test to not make hooks specific
+ network-client should not be allowed with push helpers either
+ conditionally look for INSTALL_DIR on 16.04 systems in security-policy
+ adjust security-override checks on 16.04 to follow 16.04 yaml
+ make click manifest checks conditional on if click
- cr_tests.py: mock _pkgfmt_type(), _pkgfmt_version() and _is_squashfs()
[ Michael Nelson ]
* add support for non-mocked tests
[ Michael Vogt ]
* add support for squashfs snaps (currently will trigger manual review)
[ Daniel Holbach ]
* Pass absolute path of click or snap file - that way it's safe even if we
chdir (LP: #1514346).
* Allow translated scope .ini fields to have 3 letters as their lang_code
identifier, ie. 'ast'. (LP: #1517017)
* Ensure "urls" is not empty (LP: #1522777)
[ James Tait ]
* Add a handful of links to askubuntu questions to explain some of the
rejection messages.
[ Alberto Mardegan ]
* Allow "accounts" hook since the 15.04.1 framework
* Online Accounts: update to latest plugin hook format (LP: #1520605)
[ Marcus Tomlinson ]
* Forbid the internal "DebugMode" scope.ini key from making its way into the
store (LP: #1511063)
-- Jamie Strandboge <email address hidden> Mon, 14 Dec 2015 16:09:52 -0600
-
click-reviewers-tools (0.34) wily; urgency=medium
[ Jamie Strandboge ]
* multiple 'desktop' hooks should only be 'info' these days (LP: #1496402)
* verify snaps that use 'bus-name' are of 'type: framework'
* clickreviews/cr_lint.py:
- snappy package.yaml defaults to 'architectures' and 'architecture' is
deprecated. Adjust and add a warning for deprecation.
- arm64 is a valid architecture now
- don't warn on libc6 libraries with check_external_symlinks
- don't traceback on broken symlinks when checking for hardcoded paths
(LP: #1502962)
* clickreviews/cr_security.py: don't complain about missing AppArmor
template vars if we detect this is unconfined boilerplate policy
-- Jamie Strandboge <email address hidden> Fri, 09 Oct 2015 17:47:39 -0500
