RFC: auto-generated packageset for Canonical OEM enablement metapackages

Wed Aug 12 16:02:00 UTC 2020

On Tue, Aug 11, 2020 at 03:44:44PM +0100, Iain Lane wrote:
> I took away that you considered it important that the DMB directly owns 
> the set though. If that's the case, then I think it's also quite 
> possible to do it that way:

Actually I think I'm coming round towards your original suggestion now
that I better understand the requirements and the available options.
Thinking about it further I'm more confident that making use of a
staging PPA cannot introduce a backdoor, even though the use of that
does seem like a horrid workaround for what should really be a new
packageset feature.

How about:

 * The script is owned by ~developer-membership-board who will review
   MPs against it
 * The script operates on the agreed glob pattern
 * The script expands the glob using the union of the archive and a
   staging PPA
 * The script updates the packageset and emails changes made to
   devel-permission@
 * The staging PPA is owned by ~canonical-oem-metapackage-uploaders
 * The packageset is owned by ~ubuntu-archive
 * The existing bot arrangement running as ~ubuntu-archive-bot also runs
   this script (archive admins will need to arrange this)
 * Archive admins will probably want to pin the version of the script
   run for security and manually review and bump it on the DMB's
   request; I imagine that necessary updates will be rare

I think this might be the simplest arrangement that fits the
requirements? For example then there's no need for a new bot account.
However archive admins might rightly say that it isn't necessary to use
such a privileged account for this, and that some separate and more
isolated bot should be used instead. I have no objection to that either;
just that someone needs to set up and maintain that.

The process for uploaders would then be:

 * Upload to the staging PPA
 * Wait until the bot has run
 * Upload to the archive
 * Await NEW review

This assumes the packageset will accept an entry in a PPA but not yet in
the archive of course.

I'm not keen on having some of the moving parts here at all simply
because this arrangement seems quite complex.

The only simpler option I can think of is to get Launchpad packageset
glob support. This is actually the second case where this would be
useful; the first is documented at
https://wiki.ubuntu.com/DeveloperMembershipBoard/KnowledgeBase#Personal_packagesets_and_glob_expansions
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/devel-permissions/attachments/20200812/dd89a926/attachment.sig>