Closed Bug 823691 Opened 10 years ago Closed 10 years ago
We should catch bad permissions in the manifest during validation
I like this idea. Jonas - is there any reason not to keep a list of the permissions in the validator and reject apps asking for something not on the list?
Nope, it would be great if we enforce this on the marketplace side! We should definitely not sign any package where there are permissions that don't (yet) have a meaning.
Assignee: nobody → mattbasta
Target Milestone: --- → 2013-01-03
The validator originally did this, but we decided about three months ago not to because the docs don't keep up with the implementation (and we're generally slow to update the validator), meaning folks were getting spurious warnings that the permissions they were using weren't valid permissions. Are you sure that we should reverse this? Is the cost of being a few weeks out of date worth the extra strictness in the long run?
The set of permissions is now pretty stable. Definitely stable enough that being a few weeks out won't be a big deal. We really should never sign an app which contains permissions that we don't understand since that can have unknown security implications for the end user. So if we don't catch this in the validator, we should definitely make sure it gets caught during review.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
verified fixed at https://marketplace-dev.allizom.org/developers/upload/ebd884e4e624462e9ec765281dc692a4 We are using https://docs.google.com/spreadsheet/ccc?key=0Akyz_Bqjgf5pdENVekxYRjBTX0dCXzItMnRyUU1RQ0E#gid=0?
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.