launchpad-dev team mailing list archive

Thread
Date

Re: Build From Branch, or BFB

To: James Westby <jw+debian@xxxxxxxxxxxxxxx>
From: Muharem Hrnjadovic <muharem@xxxxxxxxxx>
Date: Wed, 07 Oct 2009 08:12:03 +0200
Cc: launchpad-dev <launchpad-dev@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <1254867715-sup-1818@flash>
Openpgp: id=B2BBFCFC
User-agent: Thunderbird 2.0.0.23 (X11/20090817)

James Westby wrote:
> Hi Julian,
> 
> Thanks for writing this.
> 
> On Tue Oct 06 20:48:41 +0100 2009 Julian Edwards wrote:
>>   * The button will create a job request to run `bzr builddeb` or equivalent.
> 
> The "or equivalent" here may need a little bit of discussion. I think
> I know what that would look like, but it needs to meet LP and IS'
> requirements.
> 
> In my head it is bzr-builddeb without the bits that arbitrarily
> download things from the net, and the "hooks" that run extra code. The
> former because that's the rule for PPAs, and the latter because that
> can require extra dependencies that we have no way of specifying and
> so installing. The problem I see with this is that we will get lots of
> users confused because it builds locally but not on LP.
> 
>>   * The finished source package will be uploaded to Soyuz as a
>>   regular source upload, however since it won't be signed we need a
>>   new identification and trust mechanism to identify the person who
>>   clicked the button as the uploader.
> 
> This is certainly your domain, but I'm interested in what the
> "identification and trust mechanism" would look like. There is
> something similar for binary uploaders from the buildds I guess? How
> would this look different? Is it a requirement for doing things like
> recording the uploaded in the source package publishing record?

Currently, we basically use anonymous ftp and rely on the key the source
package is signed with and the .changes file to determine who the
uploader/maintainer is.

This is problematic in quite a few regards and we planned to switch over
to an authenticated (ssh based?) upload mechanism since July of last
year.

This would make it possible to upload unsigned packages or for the
uploader to be different from the person who signed the package.

[..]

Best regards

-- 
Muharem Hrnjadovic <muharem@xxxxxxxxxx>
Public key id   : B2BBFCFC
Key fingerprint : A5A3 CC67 2B87 D641 103F  5602 219F 6B60 B2BB FCFC

Attachment: signature.asc
Description: OpenPGP digital signature

Follow ups

Re: Build From Branch, or BFB
From: James Westby, 2009-10-07

References

Build From Branch, or BFB
From: Julian Edwards, 2009-10-06
Re: Build From Branch, or BFB
From: James Westby, 2009-10-06