Per-pocket upload permissions

Colin Watson cjwatson at ubuntu.com
Thu Jun 14 12:01:51 UTC 2012 

On Thu, Jun 14, 2012 at 12:37:46PM +0100, Iain Lane wrote:
> On Thu, Jun 14, 2012 at 12:24:07PM +0100, Colin Watson wrote:
> > My fix to https://bugs.launchpad.net/launchpad/+bug/914779 (second time
> > lucky) will hopefully be rolled out tomorrow, or failing that on Monday.

(I may have lied; the .au Launchpad cabal are in a hurry for something
else so I might get to ride along with that today.)

> > Once that's in place, I would like to add the following upload
> > permissions as suggested by Iain Lane:
> > 
> >   -backports: ~ubuntu-backporters
> >   -security: ~ubuntu-security
> > 
> > Iain also suggested -proposed/-updates: ~ubuntu-sru, but I don't think
> > that makes so much sense; ~ubuntu-sru has more of a queue admin kind of
> > role, so I'd prefer that to wait until I get round to a bit of follow-up
> > work to allow per-pocket queue admins.
> 
> Thanks for the work — this is a nice improvement. :-)

You're welcome.

> On this point, I can't be entirely sure (it was some time ago), but I
> suppose I was thinking that it would be good to ensure that SRU team
> members can use sru-release themselves, which requires upload privileges
> due to the use of copyPackage via the API if I'm not mistaken (only
> -updates would be needed here, not -proposed.  -proposed is probably not
> so useful, except if we want to ensure that they can sponsor all SRUs
> too).

Also for copying kernel PPA uploads and the like into -proposed;
although the kernel people can do that themselves nowadays (modulo
approval), so yeah, I do think that one's a bit tenuous.

> If there's also another UNAPPROVED step there then just being able to
> upload doesn't gain much: queue admin would also be required.

I think I would prefer to fix things for ~ubuntu-sru by way of two other
changes.  Firstly, I'd like to widen the permissions on
Archive.copyPackage to permit queue admin, which I would like to do
anyway in order to facilitate turning the semi-automatic Debian sync
process into a fully-automatic one:

  https://bugs.launchpad.net/launchpad/+bug/1006917

Secondly, I'd like to cause copies to bypass approval if the copying
user is a queue admin:

  https://bugs.launchpad.net/launchpad/+bug/1006871

In combination with https://bugs.launchpad.net/launchpad/+bug/648611
(which I actually think is phrased overly strictly; I don't know that
there's any particular need to restrict such permissions to the
unapproved status, and it would be a lot quicker to implement if that
constraint weren't there), this would allow us to grant ~ubuntu-sru
queue admin permission on -updates and then they could just run
sru-release without the need for an extra approval step.

There are several separate issues here, but I believe they're all now
quite shallow.  648611 and 1006917 at least are definitely just a few
lines of code plus tests.  So if anyone objects to any of the policy
changes here, please do speak now because there is some danger that I
might actually have time to implement these relatively soon. :-)

-- 
Colin Watson                                       [cjwatson at ubuntu.com]

More information about the technical-board mailing list