There is a restriction in archiveuploader preventing direct uploads to -security. This dates from 2006, specifically from the days when -security was managed outside Launchpad and so it would have been bad to accept direct uploads. Nowadays it so happens that the security team always stages uploads in a PPA and copies them over, and I don't think there's any particular drive to change that, but contrariwise there's no reason to keep this code fossil either. It looks as though it was simply forgotten when the security upload policy was removed in r11450.
<jcsackett> cjwatson: i'm looking at your security upload branch. i'll confess to being unfamiliar with the processes around this. i assume without this check there are stil checks to keep just anyone from uploading to the pocket?
<cjwatson> jcsackett: Much like -proposed/-updates, any upload to it would require manual approval by a queue admin
<jcsackett> cjwatson: ah, dig.
<jcsackett> thanks.
<cjwatson> jcsackett: In fact, today, anyone with upload rights to Ubuntu could attempt to copy a package into it (and it'd be similarly held for approval)
<cjwatson> Since copy permissions == upload permissions (I actually think copy permissions should be very slightly broader, but that's a different bug)
<jcsackett> cjwatson: ok. so this is completely unnecessary, as there's a manual check anyway, and if someone were operating in bad faith for some reason they would have a way around it anyway.
<cjwatson> I did ask the Ubuntu security team manager if he was OK with this, but he's on holiday this week
<cjwatson> The history of that code definitely looks like a fossil though
<cjwatson> I actually ran into it because I was trying to test something else on dogfood and it wouldn't let me upload to -security there :)
<cjwatson> In practice we probably want to stage elsewhere most of the time anyway because that makes sure everything's built before we expose it to users. But that seems like a distro policy decision rather than something that should be hardwired into code.
This turns out not to work properly because builds in -security are automatically failed; this in turn is tied in with avoiding redundant builds when the Ubuntu security team copies things from their PPA before they've finished building everywhere. Thus, this needs a more complete overhaul, including discussion with ubuntu-security.