launchpad-dev team mailing list archive
-
launchpad-dev team
-
Mailing list archive
-
Message #01232
Re: Build From Branch, or BFB
-
To:
Launchpad Community Development Team <launchpad-dev@xxxxxxxxxxxxxxxxxxx>
-
From:
Julian Edwards <julian.edwards@xxxxxxxxxxxxx>
-
Date:
Wed, 7 Oct 2009 15:11:45 +0100
-
In-reply-to:
<1254910282-sup-5556@flash>
-
Organization:
Canonical Ltd
-
User-agent:
KMail/1.12.1 (Linux/2.6.31-11-generic; KDE/4.3.2; x86_64; ; )
On Wednesday 07 October 2009 11:19:19 James Westby wrote:
> On Tue Oct 06 20:48:41 +0100 2009 Julian Edwards wrote:
> > * A PPA picker on the source package branch page with a "Build" button
> > (and we might want to extend this to a distro upload at some point)
>
> One thing that I forgot first time, in my opinion we will want distro
> upload at some point, but we will want to experiment with PPAs first. Once
> we have worked out the kinks we can activate it for the distribution.
Yes, that's my plan.
It's pretty trivial to add distro uploading support, we just need add an
option for that in the branch page and then the buildd-manager would upload
the source appropriately.
> However, the discussion of switching to sftp upload reminded me of an
> unanswered question we have about this. Changing to a webapp operation
> or API call to put something in the distribution moves us away from
> GPG signed instructions to one based ultimately on cookies in the
> browser and webapp passwords. While LP is better than many sites in
> this area it certainly makes me feel uncomfortable.
Can you explain why this makes you uncomfortable? It implies that you already
have a problem with this for other LP operations maybe? Can we do anything to
help with this?
> Should we perhaps be looking at a different trigger mechanism, at least
> for the distribution, such as an alternative .changes file format
> that specifies the needed parts.
From my point of view, the sheer convenience of doing these uploads from the
web is going to be amazing. I feel somewhat uncomfortable about doing
something like this as IMO it communicates that we don't trust the LP
authentication.
> This is perhaps being overly paranoid, given that all that stops you
> from adding a new GPG to my account and uploading with that right
> now is the cookie/password protection. Also, removing packages
> from the distribution, and when/if copying packages to the distribution
> from other archives is possible, they would have the same protection.
> Even so, I would like to have a discussion with the usual suspects
> about this (elmo, cjwatson, kees, etc.), perhaps at UDS?
Yes, this would make a great UDS session. Would you be able to set that up?
Cheers
J
Follow ups
References
