Ubuntu

Replace archive admin shell access with API clients

Registered by Colin Watson on 2011-12-31

The Ubuntu archive administration team has always required direct privileged shell access to the ftpmaster system in order to perform many of its routine tasks. This is a security problem, it prevents us from opening some tasks up to those who are not Canonical employees, and it makes it hard for us to improve our own tools. Improve the Launchpad API to handle all our requirements and write suitable API clients.

We will know we have succeeded when archive admins no longer require shell access to do their jobs.

(Postponed items carried over to https://blueprints.launchpad.net/ubuntu/+spec/foundations-r-replace-archive-admin-shell-access.)

Read the full specification

Blueprint information

Status:: Complete

Approver:: Steve Langasek

Priority:: High

Drafter:: Colin Watson

Direction:: Approved

Assignee:: Colin Watson

Definition:: Approved

Series goal:: Accepted for quantal

Implementation:: Implemented

Milestone target:: ubuntu-12.10

Started by: Colin Watson on 2012-03-30

Completed by: Colin Watson on 2012-10-05

Related branches

Related bugs

Bug #231371: support dist-upgrader-all pocket copy	Fix Released
Bug #827941: Copy ddtp-translations uploads to new distroseries	Fix Released
Bug #853831: Export SPPH.changeOverride and BPPH.changeOverride	Fix Released
Bug #966092: more-extra.override.* generation doesn't match use	Fix Released

Sprints

uds-q

Whiteboard

== lp_publish ==

WBNI publisher took reliably <30mins
* run a few things outside the lock?
* possibly get rid of ls-lR?

== lp_buildd ==

buildd-mass-retry: should be movable to API
add-missing-builds: needs API

(This is not a user-visible feature, and has no associated release notes.)

(?)

Work Items

Work items:
Migrate from sync-source to syncpackage: DONE
Write auto-sync client: DONE
Migrate from backport-source to backportpackage: DONE
Write up webops procedures for upload queue inspection/reprocessing: DONE
Convert sru-release to Archive.copyPackage: DONE
Write an API client to replace lp-remove-package: DONE
Export queue operations over the API: DONE
Write an API client to replace queue: DONE
Fix LP and/or client so that unembargo client can use Archive.copyPackage (http://bazaar.launchpad.net/~ubuntu-bugcontrol/ubuntu-qa-tools/master/view/head:/security-tools/unembargo): DONE
Move sync blacklist to ~ubuntu-archive branch in LP: DONE
Move new-source into new auto-sync client: DONE
Move override helpers into new queue client: DONE
Convert copy-report to Archive.copyPackage: DONE
Obsolete publish-queue in favour of new PackageUpload-based queuebot: DONE
Export enough API to permit writing a populate-archive client: POSTPONED
Write an API client to replace populate-archive: POSTPONED
Fix NewReleaseCycleProcess documentation to say that new-series sanity checking should be done on a mirror: DONE
Fix stale files piling up in /srv/launchpad.net/ubuntu-archive/ubuntu-germinate/: DONE
Look into different copyPackage ACLs for ubuntu-security and ubuntu-archive, so that it doesn't require separate approval: DONE
Write tool to do manual actions arising from copy-report: DONE

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information

Everyone can see this information.

Subscribers

Adam Conrad

Barry Warsaw

Colin Watson

Evan Broder

Iain Lane

Jamie Strandboge

Kate Stewart

Micah Gersten

Rex Tsai

Scott Kitterman

Stefano Rivera

Timothy R. Chavez

William Grant