launchpad-dev team mailing list archive

Thread
Date

Re: Packaging permissions redux

To: launchpad-dev@xxxxxxxxxxxxxxxxxxx
From: Aaron Bentley <aaron@xxxxxxxxxxxxx>
Date: Tue, 08 Mar 2011 11:29:58 -0500
In-reply-to: <AANLkTimd7PMTtZjnY54DWBYTWMc7689gRpEVqULYxrFi@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.14) Gecko/20110223 Thunderbird/3.1.8

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11-03-08 10:30 AM, Deryck Hodge wrote:
> I'm wondering if we're not overstating the danger here.  Maybe not,
> but let's think this through fully first.
> 
> In order to overwrite translations, we need a packaging link +
> translations enabled upstream + a potemplate with the same name on
> both sides.  Given this, are we really in much danger?  Or am I
> misunderstanding how this works or the danger?

We are already presuming the packaging link.  And our UI will encourage
enabling translations.

Can the filenames be the same?  Yes.  AIUI, there are two main cases:
1. the template is named "messages.pot".  This is often the case for
projects that have just started using translations.
2. a package and project $foo could have different software, but both
contain $foo.pot.  AIUI, using the name $foo.pot is a best practise.  In
this case, I believe Launchpad would *recommend* creating the bogus
packaging link.

I don't want to overstate the danger.  I think that bogus packagings
will waste cycles, and can lose origin information, but I don't see us
losing anything critical.  We will certainly not lose any approved
translations on either side.

> I recognize people set bad links regularly, but do we really think
> these 3 conditions will likely be set incorrectly as well?

So "people set bad links regularly" means we have the first part
"packaging link", regularly.  The second part "translations enabled
upstream" should be common if the feature we're working on is
successful.  In the absence of hard data, the last part, "a potemplate
with the same name on both sides" seems rare, but not so rare that we
should ignore it.  If necessary, we could query the database to find out
more.

Aaron
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk12WYYACgkQ0F+nu1YWqI1aHwCePP+yGI9h8L9z7TLjhFD4AZml
VtEAnRL3+KHbjrUnnUGEvX3UDlAP5VnQ
=+G3I
-----END PGP SIGNATURE-----

Follow ups

Re: Packaging permissions redux
From: Deryck Hodge, 2011-03-08

References

Packaging permissions redux
From: Aaron Bentley, 2011-03-07
Re: Packaging permissions redux
From: Micah Gersten, 2011-03-07
Re: Packaging permissions redux
From: Aaron Bentley, 2011-03-07
Re: Packaging permissions redux
From: Micah Gersten, 2011-03-07
Re: Packaging permissions redux
From: Curtis Hovey, 2011-03-07
Re: Packaging permissions redux
From: Robert Collins, 2011-03-07
Re: Packaging permissions redux
From: Henning Eggers, 2011-03-08
Re: Packaging permissions redux
From: Curtis Hovey, 2011-03-08
Re: Packaging permissions redux
From: Deryck Hodge, 2011-03-08