[00:19] <kyrofa> For my peace of mind, can someone please confirm that if a private PPA password leaks, all that leaks is _read_ access to that _specific_ PPA?
[00:22] <wgrant> kyrofa: That's correct. PPA access tokens are read-only and tied to a specific PPA and user.
[00:22] <kyrofa> wgrant, thank you sir
[00:29] <kyrofa> Another unrelated question: is there a way to get the signing key for a PPA before it has packages?
[00:40] <wgrant> kyrofa: To save resources and not pollute keyservers, LP only generates the key for a PPA once packages exist in it. But do note that this only applies to the first PPA for a given person or team; subsequent PPAs with the same owner should reuse the existing key on creation.
[00:49] <kyrofa> Oh that's interesting, I never noticed that
[09:18] <cjwatson> (or rather, in read-only mode)
[09:34] <cjwatson> Master switch finished a while ago, sorry for forgetting to update here
[09:35] <cjwatson> Writes are now going to pure SSD so hopefully that'll help performance
[13:45] <rbasak> Could someone explain what's happening in https://api.launchpad.net/devel/debian/+archive/primary/+sourcepub/1934411 please? This object has no date_published entry. What does it mean for a publication history entry to have been created but never published?
[13:50] <cjwatson> rbasak: An old bug.  Prior to https://git.launchpad.net/launchpad/commit/?id=93b487ee1332840f036603b1567183963d6a9fab, the Debian importer created source package publishing history entries as Pending and never set them to Published (unless the publisher was run on them, which never happened in this case).
[13:52] <cjwatson> rbasak: But it could probably happen in other cases if the SPPH was quickly superseded by a newer version before being published.
[13:52] <rbasak> cjwatson: thanks.
[13:53] <rbasak> cjwatson: in other cases> in Ubuntu only presumably, or Debian too?
[13:53] <rbasak> Because I assume you only create Debian publishing history entries when you see Debian publications?
[13:53] <cjwatson> In Ubuntu.  (I think.)
[13:53] <cjwatson> Right.
[13:53] <rbasak> Got it. Thanks!
[13:53] <cjwatson> Since the change above, Debian publications are immediately created as Published.
[13:54] <wgrant> I don't think something can be immediately superseded, but it can be immediately deleted
[13:54] <wgrant> (pretty sure the dominator only considers status == published)
[13:55] <cjwatson> Hm yes
[13:55] <cjwatson> So still possible but rarer
[13:56] <rbasak> Is there a guarantee that every source_package_publishing_history has a package_upload?
[13:58] <cjwatson> That seems unlikely; a Debian-imported one doesn't
[13:58] <rbasak> Oh
[13:58]  * rbasak wonders where git-ubuntu gets the source from then
[13:59] <cjwatson> PackageUpload would seem a slightly odd thing to go through to get the source
[14:00] <rbasak> Ah. It defers that to ubuntutools.archive
[14:00] <cjwatson> You could do sourceFileUrls on the SPPH
[14:00] <cjwatson> Or yeah, look them up from the archive by source name and version
[14:01] <rbasak> Sorry, I forgot the details of the model here.
[14:01] <cjwatson> package_upload corresponds to something that has been in a queue at some point (/ubuntu/focal/+queue etc.)
[14:01] <rbasak> My question is really: if I include spphs with no date_published entries, then will I have a problem importing them?
[14:02] <rbasak> Or will something importable always exist?
[14:02] <rbasak> (importable == I can grab a source tree, dsc file, etc)
[14:02] <cjwatson> They should still have files on the sourcepackagerelease even before being published
[14:02] <rbasak> Sounds good, thanks
[14:02] <cjwatson> date_published is more about being put on disk by the publisher
[14:03] <rbasak> I'll rely on the date_created of spphs then
[14:03] <rbasak> And mostly (completely?) ignore date_published
[14:04] <cjwatson> date_published is interesting if you want to line things up with when the publisher ran, but I can't think of why it would be interesting to git-ubuntu
[14:04] <rbasak> And I'll use the earliest spph (keyed by date_created) for a (source_package_name, source_package_version) pair to keep consistency in ordering
[14:05] <rbasak> cjwatson: yeah - sounds like I took a wrong turn in using date_published instead of date_created
[14:06] <cjwatson> I'm not sure I can authoritatively guarantee that every SPPH will have some associated files - it's possible there are anomalies - but I don't expect that to have anything to do with whether date_published is set
[14:07] <cjwatson> And I don't know of a situation today where that would happen
[14:07] <rbasak> Fair enough. If we find anomalies, the import will probably fail until I add code to detect the anomaly and treat the spph as if it doesn't exist. I think that's OK.
[14:08] <wgrant> It is uncommon, but e.g. maitreya
[14:08] <wgrant> Possibly only maitreya
[14:08] <wgrant> I think we treated that like an early source expiry, rather than excising it from the DB entirely.
[14:08] <cjwatson> Not importing that is in fact desired
[14:08] <wgrant> Indeed.
[14:09] <cjwatson> Oh maybe also really old obsolete things?
[14:09] <cjwatson> I don't remember whether we've ever expired source files
[14:09] <cjwatson> I didn't think so
[14:09] <cjwatson> (aside from maitreya)
[14:09] <rbasak> More detail on maitreya please?
[14:09] <cjwatson> Legal
[14:09] <rbasak> Sounds like a good edge case to make sure git-ubuntu works with.
[14:09] <rbasak> We can also put it in an import blacklist
[14:10] <cjwatson> (also, astrologers)
[14:10] <rbasak> But I'd like to make sure git-ubuntu does work against things Launchpad has.
[14:10] <cjwatson> The gory details are best discussed over beer :)
[14:10] <wgrant> I don't think we've expired sources from the Ubuntu primary archive
[14:10] <wgrant> For obsolescence reasons, I mean
[14:10] <rbasak> Virtual beer? :)
[14:11] <cjwatson> https://wiki.canonical.com/InformationInfrastructure/OSA/RequestLogging/LP/SQL has some history, ish
[14:18] <rbasak> Thanks!
[14:47] <Odd_Bloke> We just saw a build failure in Launchpad that we didn't reproduce in either of the local builds we did (one using sbuild, one just building in their host).  Is there any (not entirely painful :p) way to build packages the way that Launchpad does?  (Or at least more closely?)
[14:48] <Odd_Bloke> (I know this is Complicated, but figured I'd double check that I'm not missing something I could be using.)
[14:58] <tomwardill> Odd_Bloke: is it a consistent failure?
[15:10] <Odd_Bloke> Yeah, it's just a difference in environment.
[15:10] <Odd_Bloke> Which I would like to be able to catch locally/in the build we do in our CI/..., if possible.
[16:23] <cjwatson> Odd_Bloke: Tom wrote https://dev.launchpad.net/Soyuz/HowToDevelopWithBuildd a little while back, but it uses the LXD VM stuff and is generally a tad new
[16:23] <cjwatson> And also doesn't do the restricted network stuff I think
[16:23] <tomwardill> sorry, dropped this conversation and got distracted
[16:23] <tomwardill> no, it doesn't do the restricted network (it could, but that's a bunch of ufw stuff that I'm not sure I can repeat atm)
[17:03] <Odd_Bloke> OK, cool, I'll give that a go at some point.  Thanks!