some way to create an API token restricted to only certain operations
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Triaged
|
Low
|
Unassigned |
Bug Description
I'm thinking of moving a script [1] that currently runs as lp_archive@cocoplum (which we want to get rid of the Ubuntu archive team's shell access to) to an API script that runs on the shared ubuntu-archive account on lillypilly (a.k.a. people.
On the whole I think this is a stepping stone to an improvement in system security, albeit only one of many. However, it would require creating a bot account that's a member of the ~ubuntu-archive team, which owns the Ubuntu primary archive, and setting up ubuntu-
However, to reduce the security exposure in the event of a compromise, it would be nice if it were possible to restrict the capabilities of the token in the possession of ubuntu-
[1] The purpose of the script is to automatically copy packages from -security to -updates pockets in stable releases provided that the history in -updates hasn't diverged, which is an operation that saves Canonical a considerable amount of money due to the way it interacts with mirroring.
Changed in launchpad: | |
status: | New → Triaged |
importance: | Undecided → Low |
tags: | added: api oauth |