Comment 3 for bug 1550280

Colin Watson (cjwatson) wrote :

Doing this sensibly will require some work in Launchpad, as the existing mechanisms for dispatching private PPA builds to builders wouldn't be suitable here.

At the moment, I'm working on a general upgrade to our authorisation code to let us accept various kinds of more constrained tokens (with the constraints either living in the database, or in the token itself, or a composition of both). The initial goals are for this to be an optional addition to OAuth tokens, and to be usable as HTTPS access tokens for Launchpad git repositories. However, once all this is in place, we could do something like the following:

 * add an endpoint for private PPA authorisation to Launchpad's internal private XML-RPC server
 * work out how to integrate this with Apache so that the web server on private-ppa.launchpad.net will dynamically ask Launchpad to authenticate the user rather than using htpasswd files, which would let us fix a slew of existing bugs
 * add a mechanism for the autopkgtest system to request time-limited private PPA access tokens for PPAs its user can access
 * ensure that the autopkgtest system can revoke its own tokens once it's finished with them (although there would also be a time limit as a backstop)
 * as launchpad-buildd does, make sure that the access token does not show up in test logs, just in case revocation fails