RFC: auto-generated packageset for Canonical OEM enablement metapackages

Iain Lane laney at ubuntu.com
Tue Aug 11 14:44:44 UTC 2020 

On Tue, Aug 11, 2020 at 03:02:43PM +0100, Robie Basak wrote:
> We don't currently have anywhere for the DMB to run scripts on "bot
> credentials". Do you have any suggestions for that?
> 
> I've also seen suggestions about handing over management of the
> packageset to a different team such as ~ubuntu-sru or ~ubuntu-archive
> (the latter makes more sense to me). AIUI, that can easily be done using
> Launchpad's existing ACL mechanisms, though of course it would be
> another level of surprising/edge case behaviour that we will need to
> carefully document. Could this help with my "bot credentials" question?

Either would be feasible. For ~ubuntu-archive we already have a bot 
account (~ubuntu-archive-robot, this drives autosync, proposed-migration 
copying and some other things) and a machine to run scripts on.

I took away that you considered it important that the DMB directly owns 
the set though. If that's the case, then I think it's also quite 
possible to do it that way:

  - The DMB owns the VCS which contains the script to drive this
  - Canonical provides a place to run the script.
  - Canonical IS (preferred, there's existing mechanisms for this on 
    their side) or the DMB itself (if you're willing to manage.
    security of the credentials) own a bot account which is in 
    ~developer-memberhip-board
    - Alternatively, the packageset could be changed to have its owner 
      be the bot account directly or a new team containing the bot 
      account and the DMB. That would reduce the exposure if the bot's 
      credentials are compromised.
  - The script is checked out and run from cron in the above location.  
    Someone will need to run it interactively one time and log in to 
    Launchpad using the bot user.

The server which runs people.canonical.com is already accessible to 
Canonical staff interactively to run scripts. We could request IS create 
a shared user accessible to the intersection of ~canonical and 
~developer-membership-board as a place to run the script.

Cheers,

-- 
Iain Lane                                  [ iain at orangesquash.org.uk ]
Debian Developer                                   [ laney at debian.org ]
Ubuntu Developer                                   [ laney at ubuntu.com ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/devel-permissions/attachments/20200811/0e1e5d0a/attachment.sig>

More information about the Devel-permissions mailing list