We are trying to determine what actions (if any) we need to take here, and we’re having some trouble interpreting the original post and many of the subsequent comments, as some appear to be contradictory .
Background info:
- We have a number of Connect apps (for both JIRA and Confluence) that use ACE
- Versions of ACE differ across these apps (some are currently using
v7.1.4
, others are using the latest v7.3.0
.
- It is our understanding that the apps on
v7.1.4
will need to be upgraded to use a more recent version of ACE.
- In all apps, our
atlassian-connect.json
descriptors have the following values:
{
...
"lifecycle": {
"installed": "/installed"
},
"authentication": {
"type": "jwt"
},
"apiMigrations": {
"gdpr": true,
"context-qsh": true
}
...
}
- We don’t (currently) have the
signed-install
key set in any of our config.json
files
Questions:
Our confusion is around the following statements (emphasis is ours):
Q: If ACE opts-in by default, do we still need to explicitly set "signed-install": "enabled"
in our config.json
file? And where you say “not defined in the app descriptor” you mean config.json
, right?
We have not yet seen any AMS tickets assigned to us for our apps in relation to this issue (despite the fact that we know some apps require action on our part, e.g. the ones currently on ACE v7.1.4).
Q: Should we have been notified of this issue via AMS tickets yet?
(We are Silver tier partners, if that makes any difference).
Closing thoughts:
It is very concerning to us that there has been zero communication of this breaking change, other than here on CDAC. Had we not stumbled on this post, we would not have been aware of the change, despite the deadline of 20 Aug 2021 having been announced over 3 weeks ago, and with only 4-5 weeks left.
While we appreciate that CDAC is a primary communication channel, in the case of a breaking change such as this, we would have expected something a bit more explicit (such as the email that was sent regarding the context-qsh
vulnerability back in April 2021).
In our opinion this whole change has been very poorly communicated, both in the wording/language used in the above post, and the mechanism by which it is being communicated to vendors.