launchpad-reviewers team mailing list archive

[Colin Watson <mp+420028@xxxxxxxxxxxxxxxxxx>]

Well, it isn't really safe, because we don't have a way to generate Artifactory credentials that are only good for a single build.  So all we can do is mitigate that.  The assumption I've been working on is that people who have access to a private distribution that publishes to Artifactory can be assumed to have access to Artifactory themselves, and so allowing them to potentially get hold of another set of read-only credentials isn't too big a deal.

We can't just send these credentials for all CI builds, though, because only builds in the private distribution that's publishing to Artifactory should have them, not all public builds.

Furthermore, the base URL may not be quite the right thing to send here.  The base URL is something like https://canonical.jfrog.io/artifactory, but that's for the whole installation - builds would need to be pointed at individual repositories underneath that, and they'd quite possibly need to be given a list of URLs rather than a single URL (similar to the sort of archive-dependency-following logic in `lp.soyuz.adapters.archivedependencies`.

The problem now is that CI builds don't know what archive they're supposed to use as their source, and I think we need to figure out how to do that before we can solve any of the other problems here.  It's not immediately obvious where to put that sort of configuration (`GitRepository` might work, but it would mean copying configuration among a lot of repositories), and we may need to have a chat with Security about what would work best for them.
-- 
https://code.launchpad.net/~jugmac00/launchpad/+git/launchpad/+merge/420028
Your team Launchpad code reviewers is requested to review the proposed merge of ~jugmac00/launchpad:pass-artifactory-credentials into launchpad:master.