Granting PPU permission on "core" packages

[Robie Basak]

This has come up a couple of times in application meetings now.

My understanding of historical use of PPU is that it usually gets used
on leaf packages. We're granting unsupervised access to upload that
packcage, and if a PPU uploader makes a packaging decision about that
package, it typically only affects users of that package because it's a
leaf package.

On the other hand, we've recently seen at least a couple of PPU requests
for "core" packages - ones that a very large proportion of users depend
on for key platform functionality.

Then we end up discussion what criteria is appropriate to consider for
such a PPU application. Is PPU appropriate for such packages at all, or
do we need something else? Alternatives might be:

0) PPU is fine for this situation.

1) Require the applicant to get core dev instead, since widespread
understanding of operations across the archive is an appropriate
prerequisite.

2) Find some other way to make this work without applicants having to
demonstrate widespread understanding across the archive. Some ideas have
floated around on transitioning to a peer-review based system, rather
than the "grant unsupervised permission to upload a subset of the
archive by package" that we currently have. But such a transition would
have to be driven by someone working with or inside the DMB,
establishing consensus, and actually doing the technical ACL
implementation, to make it happen.

In an application today we agreed that we really need consensus on this
across the DMB to avoid this being a sticking point every time we get
such an application.

I have my own opinions on the above, but I'll keep them in a separate ML
post to keep this thread starting post clean.

Robie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/devel-permissions/attachments/20240722/02ed5532/attachment.sig>