Bjorn Tillenius wrote: > On Mon, Mar 15, 2010 at 01:23:33PM +0000, Jonathan Lange wrote: >> On Sun, Mar 14, 2010 at 9:45 PM, Michael Hudson >> <[email protected]> wrote: >>> Jonathan Lange wrote: >>>> Hello, >>>> >> ... >>>> I'd like to upgrade zope.testing and take advantage of their better >>>> subunit support, but that requires upgrading subunit too. >>>> >>>> We currently maintain subunit as a sourcecode dependency. We manage it >>>> in the branch lp:~launchpad-pqm/subunit/trunk. That branch is a >>>> KnitPackRepository. subunit trunk is a 2a repository. >>>> >>>> If I naively change sourcedeps.conf like so: >>>> @@ -12,7 +12,7 @@ >>>> -subunit lp:~launchpad-pqm/subunit/trunk;revno=61 >>>> +subunit lp:~subunit/subunit/trunk;revno=120 >>>> >>>> I get incompatible repository errors. >>>> >>>> subunit is not a Python package. It's built with autotools, and thus >>>> making an egg for it is beyond my ken and maybe inappropriate. >>>> >>>> Which leaves me with a bunch of questions: >>>> >>>> 1. Changing sourcedeps.conf to point to a branch that's not managed by >>>> our PQM is OK, isn't it? After all, we still have to pass the tests to >>>> change the revno of the branch, so we aren't losing any safety afaict. >>> As Max said, we are losing some safety. Not sure how much or how much >>> we care. >>> >> I think we don't care. > > I think we should care, since this opens up the possibility for people > to change what is being run on our production systems, without us > knowing about it. Sure, for this particular branch it should be safe. > But it's easier to have a policy of "point only to branches owned by > ~launchpad-pqm", rather than "point only to branches owned by > ~launchpad-pqm, unless we trust the branch". The latters leaves an > example that it's ok to point to foreign branches that we don't have any > control of.
If we ever did want to be able to track an upstream's branch without having to manage a pqm-trusted mirror, then I think the way to do it would be: lp:~subunit/subunit/trunk;revision-id=robe...@robertcollins.net-20100311211210-h7b7ajkd6sz1ayzr;testament-sha1=6cc557aef62eee2e34b7ea296f374b0b0277a922 Verbose though that is, it's required to affirm that someone hasn't maliciously forged a revision with the same revid as the previous tip, but including malicious changes. Max.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Mailing list: https://launchpad.net/~launchpad-dev Post to : [email protected] Unsubscribe : https://launchpad.net/~launchpad-dev More help : https://help.launchpad.net/ListHelp
