I like this idea. Jonas - is there any reason not to keep a list of the permissions in the validator and reject apps asking for something not on the list?
Nope, it would be great if we enforce this on the marketplace side! We should definitely not sign any package where there are permissions that don't (yet) have a meaning.
The validator originally did this, but we decided about three months ago not to because the docs don't keep up with the implementation (and we're generally slow to update the validator), meaning folks were getting spurious warnings that the permissions they were using weren't valid permissions. Are you sure that we should reverse this? Is the cost of being a few weeks out of date worth the extra strictness in the long run?
The set of permissions is now pretty stable. Definitely stable enough that being a few weeks out won't be a big deal. We really should never sign an app which contains permissions that we don't understand since that can have unknown security implications for the end user. So if we don't catch this in the validator, we should definitely make sure it gets caught during review.
verified fixed at https://marketplace-dev.allizom.org/developers/upload/ebd884e4e624462e9ec765281dc692a4 We are using https://docs.google.com/spreadsheet/ccc?key=0Akyz_Bqjgf5pdENVekxYRjBTX0dCXzItMnRyUU1RQ0E#gid=0?