PPAIntro
Dev Week -- Introduction to PPAs -Celso Providelo -- Wed, Sep 3
(03:00:39 PM) cprov: I guess we can start the 'Introduction to PPAs' session. (03:00:57 PM) cprov: who is here to learn more about PPAs ? (03:01:15 PM) laga: maybe i am. ;) (03:02:05 PM) ***siretart raises his hand! (03:02:05 PM) cprov: There is a overview document from previous PPA sessions that might be a useful read: https://wiki.ubuntu.com/CelsoProvidelo/PPASystemOverview (03:02:33 PM) sebner: siretart: debian is missing this cool things :P (03:02:42 PM) mathiaz left the room. (03:03:49 PM) cprov: you can start asking question while I talk trivialities about what PPA is (03:03:59 PM) Kurt: *raises hand* (03:04:22 PM) cprov: I imagine a lot of people already know about PPA (Personal Package Archives) features in Launchpad (03:04:53 PM) mcas_away is now known as mcas (03:05:38 PM) cprov: in few words, it's a groups of services already used to manage and maintain the Ubuntu distribution encapsulated in a way every launchpad user can benefit of it. (03:06:55 PM) cprov: It includes the basic components used for Ubuntu: a upload-processor, a build-service and a repository builder. (03:08:00 PM) cprov: basically, it helps users to get source packages built and published in the same way they would be if uploaded to the Ubuntu distribution. (03:09:31 PM) cprov: The system is in production since the end of the last year, more overall stats can be found at https://edge.launchpad.net/ubuntu/+ppas (03:09:50 PM) cprov: we are already over 1000 active PPAs (yay!) (03:10:03 PM) cprov: laga: QUESTION: when will it be possible to sign packages on the PPA? (03:10:52 PM) cprov: YES :) we are very committed to deliver this features (implemented in a proper way) early in this launchpad milestone. (03:11:33 PM) cprov: laga: QUESTION: i seem to remember reading about a "replay attack" on PPAs. can you comment on that? (03:12:18 PM) cprov: right, replay attacks (someone maliciously re-uploading a PPA package uploaded by a ubuntu maintainer) are completely solved in production. (03:12:48 PM) cprov: PPA changesfiles are stored without the original signature and makes impossible to re-upload them. (03:12:54 PM) laga: and how was it possible? --verbose ;) (03:13:31 PM) cprov: laga: the original signature is not available anymore, you can't 're-play' (03:13:45 PM) cprov: laga: QUESTION: is there an API for the PPAs, eg to make copying packages into another distro series easier? (03:15:04 PM) cprov: yes, soyuz features will be exposed via the public launchpad API soon (launchpadlib) and we have plans to include PPA features very soon. (03:15:24 PM) cprov: aga: QUESTION: how much buildd capacity is available? how much could one use up without getting smackedß (03:16:08 PM) cprov: laga: launchpad IS team is working hard in increasing the number of available builders, https://edge.launchpad.net/+builds (03:16:35 PM) cprov: laga: that certainly makes build-load less than an issue. (03:17:51 PM) cprov: laga: but we have plans to establish fair limits to avoid some users to make things slower to the others. (03:18:02 PM) laga: good :) (03:18:11 PM) cprov: stefanlsd: QUESTION: Is there anyway to ensure the PPA's that we are using are safe? Or do we just have to trust the PPA owner? (03:18:48 PM) cprov: stefanlsd: you always have to trust the owner/uploader (03:19:33 PM) cprov: the PPA system guarantees the binaries you will be installed were in fact generated from the corresponding source (03:19:58 PM) cprov: also, when signed, will guarantee that you will be installing exactly what you aim to. (03:20:55 PM) cprov: but it can't really guarantee that the binary is not doing any malicious task in you system, the users/communities have to audit it somehow (03:22:05 PM) cprov: We thought about creating a recommendation/voting system on top of the current PPAs, but that's just speculation. I'd be really interested in listen to ideas about this topic. (03:22:17 PM) cprov: laga: QUESTION: do the ppas take orig.tar.gz from the main archives? (03:23:30 PM) cprov: laga: yes, uploaders can easily re-use origs from the Ubuntu Primary archive, it saves a lot of bandwidth and makes package diffs clearer. (03:23:43 PM) cprov: mok0: QUESTION: Is the PPA software available so I could have my own system running at home? (03:24:08 PM) cprov: mok0: not yet, it is still part of Launchpad. (03:24:23 PM) mok0: :-( (03:24:36 PM) cprov: mok0: it also means that when LP goes free it will be available :) (03:24:45 PM) mok0: :-) (03:24:59 PM) cprov: laga: QUESTION: when will support for debian packages be available? (03:25:37 PM) cprov: laga: yes, we are organising the infrastructure to start supporting it. (03:26:02 PM) cprov: laga: in way we can improve the collaboration between debian and ubuntu. (03:26:31 PM) mok0: awesome (03:27:25 PM) cprov: for instance, we plan to, when it's the interest of the user to have a debian PPA as a 'mirror' of the ubuntu one, in way that all package successfully built in the ubuntu PPA will be automatically pushed to the debian PPA. (03:27:36 PM) cprov: what do you think about it ? (03:30:10 PM) cprov: are you perplexed with this idea ? (03:30:22 PM) siretart: that sounds great! (03:30:46 PM) sebner: cprov: really great!" (03:30:54 PM) sebner: cprov: I suppose sid chroot? (03:31:05 PM) cprov: siretart: yes, the way it saves time on the developer side is nice. (03:31:51 PM) cprov: sebner: yes, unstable, because that's where they can be uploaded in debian. (03:32:07 PM) sebner: cprov: ah, sure ^^. Great! EST? (03:32:52 PM) cprov: siretart: QUESTION: is a 'backport this package' button planned? - what's the spec name if yes? (03:34:55 PM) cprov: siretart: yes, we plan to implement this and also native-debian-syncs as part of a more structure and reliable way of merging/diffing two different archives (repositories) (03:36:15 PM) cprov: siretart: it would check/prepare a proper version and also compose a proper changelog for backports/syncs. (03:36:31 PM) cprov: siretart: making such tasks easier and more reliable. (03:36:35 PM) siretart: \o/ (03:37:39 PM) sebner: siretart is now complety satisfied ^^ (03:38:13 PM) ***siretart cant await using it :) (03:38:39 PM) cprov: there is also another feature planned related with supporting backports in PPA that involves giving the users the ability to set the required archive dependencies for a PPA in order to build backports using what is already available in the corresponding ubuntu backports. (03:39:05 PM) cprov: sebner: QUESTION: cool new features are planned but do we see them in *near* future? EST? (03:40:05 PM) cprov: sebner: I do see them all done in the next 4 months, at least, signed-ppas & the debian-support (03:40:23 PM) sebner: cprov: /me is happy to be a LP beta tester :P (03:42:23 PM) cprov: We are also glad to have this army of very bright users working on our side. LP is only helping you to change the world! (03:44:01 PM) cprov: siretart: QUESTION: are any new architectures planned for the near future? (03:44:34 PM) cprov: not really, we are following XEN in this journey. (03:45:27 PM) cprov: I've heard (read) some news about the SPARC support, but I'm no expert. (03:49:09 PM) cprov: do you have any suggestions for improving the current documentation ? https://help.launchpad.net/Packaging/PPA (03:50:24 PM) cprov: I personally miss a more hands-on packaging guide, successfull use-cases / workflows based on PPAs (03:51:55 PM) cprov: the best way to improving the experience when using PPAs, IMHO, it making easier to see how the current users have solved their problems. (03:52:55 PM) cprov: I've found a very interesting post indexing useful PPAs -> http://ubuntudoctor.com/content/blog/The-Personal-Package-Archives-Index (03:54:44 PM) cprov: and I guess that's it for today, another very interesting round of PPA questions & answers session, I hope you liked it. (03:55:43 PM) sebner: cprov: it was great. thanks very much :) (03:56:00 PM) cprov: please, keep the suggestions coming, we are willing to provide the most complete and easiest service for building and distributing software for debian-like systems. (03:56:37 PM) cprov: when filling bugs, don't forget: product -> soyuz and tag: ppa
MeetingLogs/devweek0809/PPAIntro (last edited 2008-09-03 19:58:36 by pool-68-238-87-204)