Copying packages to -updates always goes through unapproved queue, even when copying user is privileged

Bug #1006871 reported by Colin Watson
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
Colin Watson

Bug Description

It is right and proper that attempts to copy packages to -updates pockets (or indeed anything in a stable release, but -updates is the case where this mostly comes up) should generally fall into the unapproved queue. Behaving this way was one of Ubuntu's requirements for switching to Archive.copyPackage and friends in the first place; and it is enormously useful that the ability to copy packages around isn't restricted to archive administrators.

However, there are some cases where it is less than desirable. These are the two examples I've run into:

 1) Publication of verified stable updates from -proposed. This is done by copying from -proposed to -updates, either by a member of ubuntu-archive or by a less-privileged member of ubuntu-sru. If an archive admin does it, they then have to wait a minute or so for the PackageCopyJob to be processed, and then accept the copy.

 2) Copying of security updates from -security. We do this so that security updates are on a widely-mirrored suite on as well as on the guaranteed-faster-updating but unmirrored, saving Canonical a considerable amount of money in bandwidth. Right now, this is done using a cron job running as lp_archive@cocoplum that runs when it sees fit. However, we want to replace all uses of with API clients and eventually get rid of our cocoplum access. Changing this to an API client at the moment would involve some kind of arrangement to automatically accept copies from the queue.

Now, given that I just landed a branch that exports PackageUpload.acceptFromQueue, it's in principle possible for us to do this kind of thing automatically by having something that sleeps for thirty seconds, checks the queue for things it just copied, accepts anything it finds, and repeats until either it's accepted everything or some timeout is reached. However, to me, writing this kind of code is an admission of failure in Launchpad. I'd much rather come up with a way to avoid this extra step.

As a strawman proposal, how about if any copies performed by somebody who would pass a permission check on PackageUpload.acceptFromQueue were auto-approved if they would otherwise have landed in the unapproved queue? We would only want this for copies, not uploads; when archive admins upload things directory they are generally acting as developers, not archive admins, and it wouldn't be appropriate to auto-approve their uploads. But I think this could be a workable policy for copies, and it's simple to explain.

Tags: packages qa-ok

Related branches

Changed in launchpad:
status: New → Triaged
importance: Undecided → Low
tags: added: packages
Revision history for this message
Iain Lane (laney) wrote :

Maybe it would be better for this to be explicit rather than implicit? i.e. I have to confirm that I want this to bypass the queue rather than it being done for me automatically.

Colin Watson (cjwatson)
Changed in launchpad:
status: Triaged → In Progress
assignee: nobody → Colin Watson (cjwatson)
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
Changed in launchpad:
status: In Progress → Fix Committed
William Grant (wgrant)
Changed in launchpad:
status: Fix Committed → Fix Released
Colin Watson (cjwatson)
Changed in launchpad:
status: Fix Released → Fix Committed
Colin Watson (cjwatson)
tags: added: qa-ok
removed: qa-needstesting
Ian Booth (wallyworld)
Changed in launchpad:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers