[11:44] <cjwatson> wgrant: I'm tempted to just disallow LiveFS:requestBuild for private archives for now, as the issue with visibility of dependencies is going to take a while to get right (it can't all be done in requestBuild and dispatch, because the set of people who can see a LiveFSBuild might change later).  Does that make sense to you?
[11:45] <cjwatson> PES are likely to need it, but not immediately.
[11:50] <wgrant> cjwatson: Agreed.
[11:50] <wgrant> The virtualizedness is the bigger problem.
[11:50] <cjwatson> Haven't got to that yet; working through your review in order ...
[11:50] <wgrant> Oh
[11:50] <wgrant> You're in for an unpleasant surprise :)
[11:55] <cjwatson> Well, it's a problem for opening it up to wider groups such as PES
[11:56] <cjwatson> It's not particularly a problem with the pretty restricted set of people who can create/edit livefses/livefsbuilds at the moment
[11:57] <wgrant> That's true, but it might indicate that this model is fatally flawed.
[11:57] <cjwatson> I want to say that only people who can upload to some devirtualised archive should be able to request livefsbuilds, although most requests will be done by a bot user
[11:57] <wgrant> Though I guess the consumers are few enough that we can easily change it later.
[11:58] <wgrant> Right, that might be a sensible rule.
[11:58] <cjwatson> Sorry, should be able to request livefsbuilds for a devirt archive, I mean
[11:59] <cjwatson> (actually not a problem for PES, since they basically all have access to devirt archives already)
[23:47] <cjwatson> wgrant: So a "has any permission on any devirt archive" query is simple enough; what would you think of artificially giving ~ubuntu-cdimage-robot a devirt PPA just so that it passes this test and can run our normal image builds?
[23:47] <cjwatson> It would keep the code simple at the cost of a bit of deployment WTF
[23:49] <wgrant> cjwatson: Have you thought about a proper long-term solution for this? I haven't managed to come up with one.
[23:49] <wgrant> The cross-archive permission query isn't sustainable long-term, so I'm hoping we aren't backing ourselves into a corner here.
[23:50] <cjwatson> Long-term I'd hope we can do all livefs builds in scalingstack ...
[23:50] <wgrant> True, but it's similar in many ways to the privacy issue.
[23:51] <wgrant> But for the immediate term, that workaround sounds reasonable.
[23:51] <cjwatson> The simplest alternative that comes to mind is to have livefs virtualisation be an admin-settable property of some kind, rather than deriving it.
[23:51] <wgrant> Yup, but that doesn't solve the privacy issue which is basically the same problem.
[23:52] <cjwatson> We'd then have to disallow building a given devirt LiveFS against a virt archive.
[23:52] <cjwatson> Maybe it would simplify things if you were likewise not allowed to build a public LiveFS against a private Archive.
[23:53] <cjwatson> The same kind of way a public Archive isn't allowed to have a private ArchiveDependency.
[23:53] <cjwatson> So we could just say that if you're building against a private Archive then the LiveFS owner has to match.
[23:53] <wgrant> The ArchiveDependency situation is just marginally less bad than what was there before (no restriction).
[23:54] <wgrant> Right, I'd suggest that owner of the dependent object should have to be able to see the archive.
[23:54] <wgrant> At build-time.
[23:54] <wgrant> But for private PPAs that has to be slightly stricter.
[23:55] <wgrant> Possibly the LiveFS owner must have upload permissions
[23:55] <cjwatson> Requiring identity would mean that we don't have to worry about what happens if somebody gets added to one side or the other.
[23:55] <wgrant> Which then also solves the virtness issue, so I've been wondering if we can reasonably make that a normalr estriction.
[23:55] <cjwatson> For build logs later.
[23:55] <wgrant> True.
[23:56] <cjwatson> Any permission rather than just upload permission would be a bit easier logistically.
[23:56] <cjwatson> But it winds up much the same.
[23:57] <wgrant> You mean ArchivePermission, I assume
[23:57] <wgrant> ie. some kind of write access
[23:57] <cjwatson> Yes
[23:58] <wgrant> That's what I intended, yeah
[23:58] <wgrant> But "any permission" could be misconstrued to include ArchiveSubscriber, which is how ArchiveDependencies are now I think.
[23:58] <wgrant> Maybe?
[23:58] <wgrant> Anyway.
[23:58] <cjwatson> It potentially restricts our ability to use new teams for LiveFSes, but maybe that's OK
[23:59] <cjwatson> I'm just a bit worried about having to add ArchivePermissions for new teams to Ubuntu in order to be able to build livefses
[23:59] <cjwatson> For non-distro archives, whatever