Colin Watson has proposed merging ~cjwatson/launchpad:delay-publishing-copy-archives into launchpad:master.
Commit message: Delay copy archive publishing until signing keys exist Requested reviews: Launchpad code reviewers (launchpad-reviewers) For more details, see: https://code.launchpad.net/~cjwatson/launchpad/+git/launchpad/+merge/414974 This should be safe on production now that `cronscripts/ppa-generate-keys.py --copy-archives` is cronned, and it means that we don't end up in a situation where we publish an unsigned copy archive first and then don't realize that it needs to be republished to pick up the signing key. I cheated slightly by overloading this on `config.personalpackagearchive.require_signing_keys`, but it doesn't seem worth the churn of adding another configuration option just for this and arranging for it to be enabled only on production. -- Your team Launchpad code reviewers is requested to review the proposed merge of ~cjwatson/launchpad:delay-publishing-copy-archives into launchpad:master.
diff --git a/lib/lp/archivepublisher/tests/test_publishdistro.py b/lib/lp/archivepublisher/tests/test_publishdistro.py index fb00a9f..399d907 100644 --- a/lib/lp/archivepublisher/tests/test_publishdistro.py +++ b/lib/lp/archivepublisher/tests/test_publishdistro.py @@ -1,4 +1,4 @@ -# Copyright 2009-2021 Canonical Ltd. This software is licensed under the +# Copyright 2009-2022 Canonical Ltd. This software is licensed under the # GNU Affero General Public License version 3 (see the file LICENSE). """Functional tests for publish-distro.py script.""" @@ -336,6 +336,21 @@ class TestPublishDistro(TestNativePublishingBase): pub_source = self.loadPubSource(pub_source_id) self.assertEqual(pub_source.status, PackagePublishingStatus.PUBLISHED) + def testPublishCopyArchiveWithoutSigningKey(self): + """publish-distro skips copy archives without signing keys.""" + self.setUpRequireSigningKeys() + ubuntutest = getUtility(IDistributionSet)['ubuntutest'] + cprov = getUtility(IPersonSet).getByName('cprov') + copy_archive_name = 'test-copy-publish' + copy_archive = getUtility(IArchiveSet).new( + distribution=ubuntutest, owner=cprov, name=copy_archive_name, + purpose=ArchivePurpose.COPY, enabled=True) + removeSecurityProxy(copy_archive).publish = True + pub_source_id = self.getPubSource(archive=copy_archive).id + self.runPublishDistro(['--copy-archive']) + pub_source = self.loadPubSource(pub_source_id) + self.assertEqual(PackagePublishingStatus.PENDING, pub_source.status) + def testPublishCopyArchive(self): """Run publish-distro in copy archive mode. @@ -361,6 +376,13 @@ class TestPublishDistro(TestNativePublishingBase): # necessary to alter the publish flag. removeSecurityProxy(copy_archive).publish = True + # Set up signing key. + self.setUpRequireSigningKeys() + yield self.useFixture(InProcessKeyServerFixture()).start() + key_path = os.path.join(gpgkeysdir, 'ppa-sam...@canonical.com.sec') + yield IArchiveGPGSigningKey(copy_archive).setSigningKey( + key_path, async_keyserver=True) + # Publish something. pub_source_id = self.getPubSource( sourcename='baz', filecontent=b'baz', archive=copy_archive).id diff --git a/lib/lp/services/config/schema-lazr.conf b/lib/lp/services/config/schema-lazr.conf index ef17be9..84f9294 100644 --- a/lib/lp/services/config/schema-lazr.conf +++ b/lib/lp/services/config/schema-lazr.conf @@ -1495,8 +1495,8 @@ private_base_url: https://private-ppa.launchpad.net # datatype: string signing_keys_root: /var/tmp/ppa-signing-keys -# If true, PPAs will only be published once their signing-keys have been -# generated. +# If true, PPAs and copy archives will only be published once their +# signing-keys have been generated. # datatype: boolean require_signing_keys: false diff --git a/lib/lp/soyuz/model/archive.py b/lib/lp/soyuz/model/archive.py index 59312ea..2ab3a4a 100644 --- a/lib/lp/soyuz/model/archive.py +++ b/lib/lp/soyuz/model/archive.py @@ -1,4 +1,4 @@ -# Copyright 2009-2021 Canonical Ltd. This software is licensed under the +# Copyright 2009-2022 Canonical Ltd. This software is licensed under the # GNU Affero General Public License version 3 (see the file LICENSE). """Database class for table Archive.""" @@ -442,11 +442,11 @@ class Archive(SQLBase): # The explicit publish flag must be set. if not self.publish: return False - # In production configurations, PPAs can only be published once - # their signing key has been generated. + # In production configurations, PPAs and copy archives can only be + # published once their signing key has been generated. return ( not config.personalpackagearchive.require_signing_keys or - not self.is_ppa or + (not self.is_ppa and not self.is_copy) or self.signing_key_fingerprint is not None) @property
_______________________________________________ Mailing list: https://launchpad.net/~launchpad-reviewers Post to : launchpad-reviewers@lists.launchpad.net Unsubscribe : https://launchpad.net/~launchpad-reviewers More help : https://help.launchpad.net/ListHelp