Change notice - Changes to installation of a local app on Atlassian Cloud products

Atlassian products will no longer allow installation of a local app in development mode at “Manage apps“ page, which uses the same key as an installed Atlassian Marketplace app. When this is attempted the install will fail with the following message:

Why this change?

This change has been put in place to prevent any user or admin confusion between locally installed apps and apps installed from Atlassian Marketplace.

What’s the alternative?

If you are an app developer, this may affect your development process. You will now need to use a separate instance to undertake testing with a local version of your app.

3 Likes

Is this per app?
Can I mix app A from Marketplace and app B from non-Marketplace URL on an instance?

1 Like
  • If we’ve uninstalled the Marketplace app, can it install our local version of the app?
  • If not, then that means UPM stores the list of once-installed Marketplace apps in the database, is it correct?
1 Like

Should we continue to expect changes to be launched without any warning moving forwards?

6 Likes

@boris - I don’t have all of the details, but from what I can glean, this change was made to address security issues/concerns. Apologies for any inconveniences that this may cause you.

1 Like
  • Local version of your app won’t work in that case. The error shown in above snapshot will be thrown.
  • Let me confirm with our team on whether UPM stores that data.

We found a security bug recently and that’s why this fix had to be made immediately.

1 Like

Great to hear that Atlassian is responding to security incidents this quickly.

However, I know that at least for our team, we don’t have a good understanding around policies relating to Cloud API and general Cloud system changes. Is there a doc I have overlooked? If there isn’t, does Atlassian have plans to / a timeline to publish any such document?

1 Like

Yes, this applies per-app. You can mix marketplace and non-marketplace apps within an instance

Is there any way to have quick reboot for the environments? basically we have env named “xxx-test.atlassian.net” and “xxx-staging.atlassian.net” and both are out now. We can create new environments but can you free up the names quick enough? Its a bit too quick change atm. Any suggestions for workarounds that would affect vendors least?

1 Like

Hi @boris

You can have a look at Atlassian’s REST API policy, which states that,

The behaviour of an API may change without warning if the existing behaviour is incorrect or constitutes a security vulnerability.

In general, we do endeavour to give vendors notice of changes which affect dev loops. In certain circumstances, however, especially in the area of security, we may need to make changes without notice.

Cheers.

2 Likes

It would be interesting to read what the vulnerability was, since it’s fixed.

The lack of communication regarding this change is disappointing (I second @boris) and caused a few of our developers to encounter a jarring experience when testing the upgrade procedure of some Cloud Apps :face_with_monocle:.

It’s worth noting you can still install your Production App and Test App on the same system, as long as you do it from the ‘Install from URL’ option, not the Marketplace (or emcee) :smiley:.

As far as a ‘security vulnerability’ - this bug or feature, depending on how you look at it, has been in the Atlassian Cloud since I can remember, so the urgency of the change (without any warning) is lost on me - but given past experience, it’s not surprising :cold_face:.

2 Likes

Hi,

So I was looking for a way to reuse a fresh instance of Jira, to test apps installation process. I have created new site, did a backup, then installed our app, everything worked fine. Then I decided to clean the site by importing a backup. I was prompted to choose whether users should be overwritten or merged. I chose “merge”.

Backup was successful, however it is impossible to install the app now.

Is it a known problem? Do you have any other ideas how to clean a Jira instance for testing purposes?

I have also tried a backup with an option to override users, it also doesn’t work. This worries me, because if I can’t do a backup, then our customers probably also have problems with apps after doing a backup

Installing any app from the marketplace also doesn’t work, but I guess I will create support ticket for this, because this thread may be not appropriate

It would be nice if turning on development mode popped an info dialog:

Manage apps --> Settings --> Enable development mode

The dialog could say something like this:
Note! For your security: If you install an app from the Marketplace then you cannot upload a local version of that app. Once the Marketplace is installed then local versions are forever prohibited even if the Markeplace version is uninstalled.

The point at which we enable development mode is the perfect place to document this limitation, IMO. I just learned about this feature the hard way and now I have multiple dev instances when a single one would have sufficed.

5 Likes