Closed Bug 843419 Opened 11 years ago Closed 11 years ago

Code discrepancy between code viewer and downloaded zip

Categories

(Marketplace Graveyard :: Reviewer Tools, defect, P1)

Product:
Marketplace Graveyard
Component:
Reviewer Tools
Platform:
x86
macOS
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
2013-02-28

People

(Reporter: adora, Assigned: robhudson)

Details

Example app:  https://marketplace.firefox.com/files/browse/193736/

Observe: file viewer shows geolocation permissions in manifest.

Compare that to the zip from the mini-manifest:  https://marketplace.firefox.com/reviewers/signed/untappd/1424162

The manifest in the zip does NOT include the latest changes to add geolocation permissions.
Rob - can you investigate this?
Assignee: nobody → robhudson.mozbugs
Priority: -- → P1
Target Milestone: --- → 2013-02-28
(In reply to Lisa Brewster [:adora] from comment #0)
> The manifest in the zip does NOT include the latest changes to add
> geolocation permissions.

When you say, "latest changes"... was there a prior version that was deleted? And the version currently existing was uploaded afterwards? I'm assuming this is true.

After reviewing the code and the above hints, this is what looks like happened...

1. Version A was submitted and reviewed and possibly rejected.
2. Developer deleted version A via devhub, fixed a problem, and uploaded version B with the same version string in the manifest.
3. Version B was reviewed, file viewer looks good, but on install it seems like Version A is still sticking around.

Some facts:
* We only sign on first reviewer request, not when the file is uploaded. We did this to try to avoid unnecessary signing.
* We copy the signed zip to another location on the file system.
* The filename includes a version string in the filename, e.g. "untappd-1.0.signed.zip".

When Version A was deleted and Version B uploaded with the same version string -- something we normally prevent with prior versions -- the signed file, which is now a copy of Version A + signing, was/is still there. So the copy + signing never happened for Version B.

I think the easiest fix is to remove the signed copies when a version is deleted.

Note: Test the above flow to verify that with "soft deleted" versions (bug 800087) we still allow uploads of the same version string. It looks like it should.
Ugh! Its the problem with add-on versions persisting after being deleted all over again!
Sounds like good sleuthing, Rob.  This app is a preinstall for MWC...is there any way to get the right files in place ASAP?  Or should the developer resubmit with a different version number?
Submitting with a diff version number is probably the easiest thing. I have a patch locally that I'll have reviewed but I'm not sure if it'll make it for push today.
Submitting with a different version worked for Untappd.
This commit removes the signed files when a version is deleted.
https://github.com/mozilla/zamboni/commit/e1b23be
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.