Last night I talked with Bjorn & some Soyuz folks about fixing bug #347768: Allow anyone with upload rights to write to a package branch. It's a really important bug for the distro that has my full attention. My work-in-progress branch is linked to the bug.
Here's a summary of the discussion. Posted here for your information, and so that Julian et al can make sure my understanding is correct. To fix this bug I need to determine if a person has upload rights to a package, and I need to be able to grant a person upload rights for testing. What I've got: * An IPerson * A Pocket * An ISourcePackage, which itself gives me: * An IDistroSeries * An ISourcePackageName Bjorn pointed out that Bugs has to make exactly the same check in BugNomination.canApprove(). Julian made it clear to me that these are not enough, that it's impossible to get a yes / no answer to the question, "can a person upload to a source package?". Being able to upload to a source package is a function of the IArchive that one is trying to upload to. AIUI, in the abstract sense there's a function:: can_upload(IPerson, IArchive, ISourcePackage) => bool Soyuz folks, can you confirm? Here's what we decided to do: 1. Add a property to ISourcePackage, latest_published. Alias for _getFirstPublishingHistory() 2. Use latest_published (an ISourcePackagePublishingHistory) to get a component and an archive. 3. Use this data in a manner similar to BugNomination.canApprove() and verify_acl() to get a yes/no answer on whether a person can upload this package to this archive. Put this in ISourcePackage.canUploadToArchive() 4. Add some sort of convenience function for Bugs & Code to use to extract this given only an ISourcePackage, using a sensible default for the archive. An important conclusion from this is that check_permission(source_package, 'launchpad.Edit') doesn't work, and probably can never work, since without an IArchive, we can never tell for sure. There are still some open questions: * Is there an object that represents "a source package in a specific archive"? Should there be? Soyuz already has "publication" (aka ISourcePackagePublishingHistory), but Julian says that's tied to a specific version of a package. Bjorn says, "What I'm looking for is something like ISourcePackage, or maybe even IDistributionSourcePackage. Maybe they should be extended to know which archive they belong to." Places of interest: * IArchive.canUpload() * IArchive.getPermissions * canonical.launchpad.security * BugNomination.canApprove() * IDistribution.main_archive * lp/archiveuploader/nascentupload.py:verify_acl() * IArchivePermisson * ISourcePackage.latest_published_component * ISourcePackagePublishingHistory jml _______________________________________________ Mailing list: https://launchpad.net/~launchpad-dev Post to : [email protected] Unsubscribe : https://launchpad.net/~launchpad-dev More help : https://help.launchpad.net/ListHelp
