Clarify intended SDK Store publishing policy for newly-created Ubuntu One accounts

[shizuku198411]

Summary

The current Workshop documentation for How to publishing an SDK lists the following prerequisite:

An Ubuntu One account that’s allowed to publish SDKs.

I would like to clarify what “allowed to publish SDKs” means in the current SDK Store model.

From testing, it looks like SDK Store ownership and collaborator checks are enforced for existing SDK packages. However, it is not clear from the documentation whether publishing a newly registered SDK is intended to be open to any Ubuntu One account, similar to the Snap Store model, or whether SDK publishing should require explicit approval or allowlisting.

Test SDK

For this test, I created and published a safe SDK named nim-toolchain.

This SDK provides a Nim language development environment for workshops. It includes the Nim programming language toolchain, including Nim and nimble, for building, testing, and running Nim projects inside workshops.

The SDK is currently visible from another account with sdk info nim-toolchain:

name:       nim-toolchain
publisher:  Seiji Matsuoka (shizuku198411)
license:    MIT

This SDK provides the Nim programming language toolchain,
including Nim and nimble, for building, testing, and running
Nim projects inside workshops.

CHANNELS
  CHANNEL           VERSION  BUILD       BASE          REV    SIZE
  latest/stable     2.2.10   2026-05-29  ubuntu@24.04    2  1.16kB
  latest/candidate  ↑
  latest/beta       ↑
  latest/edge       2.2.10   2026-05-29  ubuntu@24.04    2  1.16kB

Observed behavior

I tested with two Ubuntu One accounts:

1. Account A created and published the nim-toolchain SDK.
2. Account B was able to log in with sdkcraft.
3. sdkcraft whoami for Account B showed package registration, package management, revision management, release management, and unrestricted channel permissions.
4. Account B could read public SDK information for nim-toolchain.
5. Account B could not release a revision of nim-toolchain.
6. Account B could upload the .sdk file to the storage endpoint, but the revision notification step failed because Account B is not a publisher or collaborator for nim-toolchain.

The sdkcraft whoami output for Account B was:

email: <redacted>
username: <redacted>
id: <redacted>
permissions: account-register-package, account-view-packages, package-manage, package-manage-acl, package-manage-metadata, package-manage-releases, package-manage-revisions, package-view, package-view-acl, package-view-metadata, package-view-metrics, package-view-releases, package-view-revisions
channels: no restrictions

The relevant failure was:

Failed to notify revision: Store operation failed:
- permission-required: No publisher or collaborator permission for the nim-toolchain sdk package

The log showed that the file upload itself succeeded:

HTTP 'POST' for 'https://storage.snapcraftcontent.com/unscanned-upload/'
Uploading bytes for 'nim-toolchain_amd64_ubuntu@24.04.sdk' ended, id '...'

Then the revision notification failed:

HTTP 'POST' for 'https://api.charmhub.io/v1/sdk/nim-toolchain/revisions'
Store operation failed:
- permission-required: No publisher or collaborator permission for the nim-toolchain sdk package

This suggests that write operations on an existing SDK package are correctly protected by publisher/collaborator permissions.

Question

Is publishing a newly registered SDK intended to be open to any Ubuntu One account, similar to publishing a newly registered snap name in the Snap Store?

Or should SDK publishing require an explicitly approved or allowlisted Ubuntu One account?

The prerequisite wording:

An Ubuntu One account that’s allowed to publish SDKs.

can be interpreted as meaning that there is an additional approval step or allowlist for SDK publishers.

However, the current observed behavior suggests that:

• Ubuntu One login succeeds for a newly-created account.
• SDK Store credentials can include broad package management permissions.
• Existing SDK package ownership/collaborator checks are enforced server-side.
• Public SDK metadata and channel maps are readable from another account.
• The remaining unclear part is whether new SDK package registration/publishing is intentionally open to any Ubuntu One account.

Environment

• sdkcraft version: 0.1.14
• SDK Store API observed in logs: https://api.charmhub.io/v1/sdk/...
• Upload endpoint observed in logs: https://storage.snapcraftcontent.com/unscanned-upload/
• Tested SDK: nim-toolchain