I published a lot of snaps either under my name or under snapcrafters, as the main publisher or a collaborator. I am no longer a collaborator on most of them, but I’m still getting security mails for outdated packages. How do I remove myself from getting these emails. Yes, someone should get them, and someone should do something about them, but I can’t, as I no longer have access.
@emitorino this might be one for you
I’m moving this to the store-requests category since probably either @emitorino or myself are best placed to sort this out.
@popey can you give an example of one snap so I can try and see what is going on here?
Sadly I can’t as I deleted all the emails. I will have to wait for some more mails to arrive.
@popey could you please indicate one snap name so we can understand how the collaborators are managed for it?
Adding @roadmr as well to this loop.
As per the emails, I can’t give you a concrete example until another security email goes out. At a guess you could probably pick any of discord, android-studio, android-studio-canary, signal-desktop and many other snapcrafters snaps but I can’t tell you which ones specifically as some I was a collaborator on, and others I had the password for the snapcrafters account. I no longer have either, so can’t confirm. I think we may have to wait for another security email to come out.
As an example, Alan’s share in android-studio was expired on Aug. 23, 2022. @emitorino I think this is going to end up being related to the manifest-raw updating thing you’re working on, so once that’s sorted out, this will likely resolve as well.
Just got some mails about a security update on libmysqlclient20 for the snaps opentoonz, obs-studio and flightgear. It looks likely that I had access when these were published, some time ago, but no longer do. So I expect my account is associated with those releases.
We are working on an infrastructure/config issue that is preventing the USNs notification service to get the latest information about published snaps and that’s why you are still getting the emails. We will let you know as soon as this is fixed (hopefully will be done in the following days).
This issue has been solved. Please let us know if you see any further issue.
Here’s some padding so I can say “Many Thanks!”
I got another email today for a snap I no longer have access to, mgba. It’s “To:” the current maintainer, and my address. I get a 404 when I go to the listing page because I am no longer a collaborator, so can do nothing with this information.
oops. I checked store-side and the share for Alan is marked as revoked, so it should not appear in the publisher data. @emitorino if you could please confirm whether Popey is listed as a collaborator for that snap in the data you have, and check whether your published snaps information from the store is up to date, we can check on our side to see whether we might have a bug and are still reporting “revoked” collaborator shares as active. If so, it can be fixed
I can confirm @popey is not listed as a collaborator in the recent published revisions of
I am instead under the assumption that this is related to the recent USNs for universe packages we published because of the announcement of Ubuntu Pro https://canonical.com/blog/ubuntu-pro-enters-ga, were some of those apply to old revisions @popey was still listed as a collaborator. The service notifies the current main maintainer/publisher of the snap but also to the affected revision uploader.
I will keep monitoring to see if we still have Ubuntu pro related pending notifications but no further notifications should be sent for new USNs from now on. Apologize for this issue @popey.
No worries, thanks for the prompt response.
Got another one for mgba today. It specifically calls out revision 1163 (amd64 edge) and 1164 (i386 edge) - which are the most recent revisions built, long after I no longer was a a maintainer.
Revision r1163 (amd64; channels: edge) * libmysofa0: 5184-1 * libopenjp2-7: 4782-1 * libopenmpt0: 4831-1 * libsdl2-2.0-0: 5274-1 * libzip4: 4811-1 * libzmq5: 4920-1 Revision r1164 (i386; channels: edge) * libmysofa0: 5184-1 * libopenjp2-7: 4782-1 * libopenmpt0: 4831-1 * libsdl2-2.0-0: 5274-1 * libzip4: 4811-1 * libzmq5: 4920-1
Yes, it seems there is another issue here. Thanks for the report. I will be taking a look at this.
@popey this was indeed a bug in the service which has been fixed/deployed now https://bugs.launchpad.net/review-tools/+bug/2007424. Thanks for reporting the issue.
Nice one! Thanks for letting me know it’s fixed! (and for fixing it)