Ubuntu Wiki

Dev Week -- Introduction to PPAs -Celso Providelo -- Wed, Sep 3

(03:00:39 PM) cprov: I guess we can start the 'Introduction to PPAs' session.
(03:00:57 PM) cprov: who is here to learn more about PPAs ?
(03:01:15 PM) laga: maybe i am. ;)
(03:02:05 PM) ***siretart raises his hand!
(03:02:05 PM) cprov: There is a overview document from previous PPA sessions that might be a useful read: https://wiki.ubuntu.com/CelsoProvidelo/PPASystemOverview
(03:02:33 PM) sebner: siretart: debian is missing this cool things :P
(03:02:42 PM) mathiaz left the room.
(03:03:49 PM) cprov: you can start asking question while I talk trivialities about what PPA is
(03:03:59 PM) Kurt: *raises hand*
(03:04:22 PM) cprov: I imagine a lot of people already know about PPA (Personal Package Archives) features in Launchpad
(03:04:53 PM) mcas_away is now known as mcas
(03:05:38 PM) cprov: in few words, it's a groups of services already used to manage and maintain the Ubuntu distribution encapsulated in a way every launchpad user can benefit of it.
(03:06:55 PM) cprov: It includes the basic components used for Ubuntu: a upload-processor, a build-service and a repository builder.
(03:08:00 PM) cprov: basically, it helps users to get source packages built and published in the same way  they would be if uploaded to the Ubuntu distribution.
(03:09:31 PM) cprov: The system is in production since the end of the last year, more overall stats can be found at https://edge.launchpad.net/ubuntu/+ppas
(03:09:50 PM) cprov: we are already over 1000 active PPAs (yay!)
(03:10:03 PM) cprov: laga: QUESTION: when will it be possible to sign packages on the PPA?
(03:10:52 PM) cprov: YES :) we are very committed to deliver this features (implemented in a proper way) early in this launchpad milestone.
(03:11:33 PM) cprov: laga: QUESTION: i seem to remember reading about a "replay attack" on PPAs. can you comment on that?
(03:12:18 PM) cprov: right, replay attacks (someone maliciously re-uploading a PPA package uploaded by a ubuntu maintainer) are completely solved in production.
(03:12:48 PM) cprov: PPA changesfiles are stored without the original signature and makes impossible to re-upload them.
(03:12:54 PM) laga: and how was it possible? --verbose ;)
(03:13:31 PM) cprov: laga: the original signature is not available anymore, you can't 're-play'
(03:13:45 PM) cprov: laga: QUESTION: is there an API for the PPAs, eg to make copying packages into another distro series easier?
(03:15:04 PM) cprov: yes, soyuz features will be exposed via the public launchpad API soon (launchpadlib) and we have plans to include PPA features very soon.
(03:15:24 PM) cprov: aga: QUESTION: how much buildd capacity is available? how much could one use up without getting smackedß
(03:16:08 PM) cprov: laga:  launchpad IS team is working hard in increasing the number of available builders, https://edge.launchpad.net/+builds
(03:16:35 PM) cprov: laga: that certainly makes build-load less than an issue.
(03:17:51 PM) cprov: laga: but we have plans to establish fair limits to avoid some users to make things slower to the others.
(03:18:02 PM) laga: good :)
(03:18:11 PM) cprov: stefanlsd: QUESTION: Is there anyway to ensure the PPA's that we are using are safe? Or do we just have to trust the PPA owner?
(03:18:48 PM) cprov: stefanlsd: you always have to trust the owner/uploader
(03:19:33 PM) cprov: the PPA system guarantees the binaries you will be installed were in fact generated from the corresponding source
(03:19:58 PM) cprov: also, when signed, will guarantee that you will be installing exactly what you aim to.
(03:20:55 PM) cprov: but it can't really guarantee that the binary is not doing any malicious task in you system, the users/communities have to audit it somehow
(03:22:05 PM) cprov: We thought about creating a recommendation/voting system on top of the current PPAs, but that's just speculation. I'd be really interested in listen to ideas about this topic.
(03:22:17 PM) cprov: laga: QUESTION: do the ppas take orig.tar.gz from the main archives?
(03:23:30 PM) cprov: laga: yes, uploaders can easily re-use origs from the Ubuntu Primary archive, it saves a lot of bandwidth and makes package diffs clearer.
(03:23:43 PM) cprov: mok0: QUESTION: Is the PPA software available so I could have my own system running at home?
(03:24:08 PM) cprov: mok0: not yet, it is still part of Launchpad.
(03:24:23 PM) mok0: :-(
(03:24:36 PM) cprov: mok0: it also means that when LP goes free it will be available :)
(03:24:45 PM) mok0: :-)
(03:24:59 PM) cprov: laga: QUESTION: when will support for debian packages be available?
(03:25:37 PM) cprov: laga: yes, we are organising the infrastructure to start supporting it.
(03:26:02 PM) cprov: laga: in way we can improve the collaboration between debian and ubuntu.
(03:26:31 PM) mok0: awesome
(03:27:25 PM) cprov: for instance, we plan to, when it's the interest of the user to have a debian PPA as a 'mirror' of the ubuntu one, in way that all package successfully built in the ubuntu PPA will be automatically pushed to the debian PPA.
(03:27:36 PM) cprov: what do you think about it ?
(03:30:10 PM) cprov: are you perplexed with this idea ?
(03:30:22 PM) siretart: that sounds great!
(03:30:46 PM) sebner: cprov: really great!"
(03:30:54 PM) sebner: cprov: I suppose sid chroot?
(03:31:05 PM) cprov: siretart: yes, the way it saves time on the developer side is nice.
(03:31:51 PM) cprov: sebner: yes, unstable, because that's where they can be uploaded in debian.
(03:32:07 PM) sebner: cprov: ah, sure ^^. Great! EST?
(03:32:52 PM) cprov: siretart: QUESTION: is a 'backport this package' button planned? - what's the spec name if yes?
(03:34:55 PM) cprov: siretart: yes, we plan to implement this and also native-debian-syncs as part of a more structure and reliable way of merging/diffing two different archives (repositories)
(03:36:15 PM) cprov: siretart: it would check/prepare a proper version and also compose a proper changelog for backports/syncs.
(03:36:31 PM) cprov: siretart: making such tasks easier and more reliable.
(03:36:35 PM) siretart: \o/
(03:37:39 PM) sebner: siretart is now complety satisfied ^^
(03:38:13 PM) ***siretart cant await using it :)
(03:38:39 PM) cprov: there is also another feature planned related with supporting backports in PPA that involves giving the users the ability to set the required archive dependencies for a PPA in order to build backports using what is already available in the corresponding ubuntu backports.
(03:39:05 PM) cprov: sebner: QUESTION: cool new features are planned but do we see them in *near* future? EST?
(03:40:05 PM) cprov: sebner: I do see them all done in the next 4 months, at least, signed-ppas & the debian-support
(03:40:23 PM) sebner: cprov: /me is happy to be a LP beta tester :P
(03:42:23 PM) cprov: We are also glad to have this army of very bright users working on our side. LP is only helping you to change the world!
(03:44:01 PM) cprov: siretart: QUESTION: are any new architectures planned for the near future?
(03:44:34 PM) cprov: not really, we are following XEN in this journey.
(03:45:27 PM) cprov: I've heard (read) some news about the SPARC support, but I'm no expert.
(03:49:09 PM) cprov: do you have any suggestions for improving the current documentation ? https://help.launchpad.net/Packaging/PPA
(03:50:24 PM) cprov: I personally miss a more hands-on packaging guide, successfull use-cases / workflows based on PPAs
(03:51:55 PM) cprov: the best way to improving the experience when using PPAs, IMHO, it making easier to see how the current users have solved their problems.
(03:52:55 PM) cprov: I've found a very interesting post indexing useful PPAs -> http://ubuntudoctor.com/content/blog/The-Personal-Package-Archives-Index
(03:54:44 PM) cprov: and I guess that's it for today, another very interesting round of PPA questions & answers session, I hope you liked it.
(03:55:43 PM) sebner: cprov: it was great. thanks very much :)
(03:56:00 PM) cprov: please, keep the suggestions coming, we are willing to provide the most complete and easiest service for building and distributing software for debian-like systems.
(03:56:37 PM) cprov: when filling bugs, don't forget:  product -> soyuz and tag: ppa