launchpad-dev team mailing list archive

[James Westby <jw+debian@xxxxxxxxxxxxxxx>]

On Tue Oct 06 20:48:41 +0100 2009 Julian Edwards wrote:
>   * A PPA picker on the source package branch page with a "Build" button
>     (and we might want to extend this to a distro upload at some point)

One thing that I forgot first time, in my opinion we will want distro upload
at some point, but we will want to experiment with PPAs first. Once we
have worked out the kinks we can activate it for the distribution.

However, the discussion of switching to sftp upload reminded me of an
unanswered question we have about this. Changing to a webapp operation
or API call to put something in the distribution moves us away from
GPG signed instructions to one based ultimately on cookies in the
browser and webapp passwords. While LP is better than many sites in
this area it certainly makes me feel uncomfortable.

Should we perhaps be looking at a different trigger mechanism, at least
for the distribution, such as an alternative .changes file format
that specifies the needed parts.

This is perhaps being overly paranoid, given that all that stops you
from adding a new GPG to my account and uploading with that right
now is the cookie/password protection. Also, removing packages
from the distribution, and when/if copying packages to the distribution
from other archives is possible, they would have the same protection.
Even so, I would like to have a discussion with the usual suspects
about this (elmo, cjwatson, kees, etc.), perhaps at UDS?

Thanks,

James