We are trying to determine what actions (if any) we need to take here, and we’re having some trouble interpreting the original post and many of the subsequent comments, as some appear to be contradictory .
- We have a number of Connect apps (for both JIRA and Confluence) that use ACE
- Versions of ACE differ across these apps (some are currently using
v7.1.4, others are using the latest
- It is our understanding that the apps on
v7.1.4 will need to be upgraded to use a more recent version of ACE.
- In all apps, our
atlassian-connect.json descriptors have the following values:
- We don’t (currently) have the
signed-install key set in any of our
Our confusion is around the following statements (emphasis is ours):
Q: If ACE opts-in by default, do we still need to explicitly set
"signed-install": "enabled" in our
config.json file? And where you say “not defined in the app descriptor” you mean
We have not yet seen any AMS tickets assigned to us for our apps in relation to this issue (despite the fact that we know some apps require action on our part, e.g. the ones currently on ACE v7.1.4).
Q: Should we have been notified of this issue via AMS tickets yet?
(We are Silver tier partners, if that makes any difference).
It is very concerning to us that there has been zero communication of this breaking change, other than here on CDAC. Had we not stumbled on this post, we would not have been aware of the change, despite the deadline of 20 Aug 2021 having been announced over 3 weeks ago, and with only 4-5 weeks left.
While we appreciate that CDAC is a primary communication channel, in the case of a breaking change such as this, we would have expected something a bit more explicit (such as the email that was sent regarding the
context-qsh vulnerability back in April 2021).
In our opinion this whole change has been very poorly communicated, both in the wording/language used in the above post, and the mechanism by which it is being communicated to vendors.