Comment 5 for bug 1023986

Ah, I think I may see the problem. PackageDiff.private looks at the privacy of its SPR's upload_archive. Compare with lib/lp/security.py:ViewSourcePackageRelease, which considers an SPR to be public if any of the archives it's published in are public.

So, if this is correct, it has nothing to do with copying as such; rather, the bug is that any diff generated against a source package originally uploaded to a private archive is itself private.