Closed Bug 1037466 Opened 10 years ago Closed 8 years ago

Let's grant a-team permission to upload (certain) pypi packages

Categories

(Release Engineering :: General, defect)

Product:
Release Engineering
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: pmoore, Unassigned)

References

Details

Currently ateam has to request a package to be uploaded to pypi server.

Maybe we can grant them access, to avoid a releng bottleneck?

What are your thoughts on this dustin? I think setuptools provides a publish mechanism, but I don't know if that is compatible with our setup on the web heads. (something like python setup.py sdist upload ?) or maybe pip has a similar mechanism? Not sure what we need on the relengwebadm side though to achieve this, and how we'd handle authentication/authorization?

This might be more suitable than setting up full ssh access. Also not sure how we would make sure a-team couldn't accidentally change releng existing packages...

This could be one of the steps in line with our goal this year to eliminate monkey work from build duty.
Summary: Let's grant a team permission to upload (certain) pypi packages → Let's grant a-team permission to upload (certain) pypi packages
To be honest, I don't have any good ideas on how to solve this.  The sdist upload stuff seems to hard-code pypi.python.org.

The closest thing I can think of at Mozilla is the tooltool uploads, and that wound up being a decent amount of infrastructure (a dedicated VM, with a lot of puppety goodness to handle ssh logins).

Other options I can think of:

 * a checked-in manifest somewhere with names, URLs, and hashes
   - and a crontask to update that manifest and download anything not already in place
   - benefit: hashes checked regularly on all packages
   - benefit: automatically get history on why package X was added, from 'hg blame'
   - downside: delay between checkin and package appearing

 * an LDAP-authenticated webapp allowing uploads
   - this could check for filename collisions by opening files with O_EXCL
   - could be part of relengapi (meaning uploads could be scripted using tokens!)

My plate's a little full to do much of the work on either of those, but I'm happy to work with someone else!
Shall we close this as WONTFIX now? Or are there any new mechanisms e.g. in RelEngAPI that would enable this?
Flags: needinfo?(dustin)
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(dustin)
Resolution: --- → WONTFIX
Component: Tools → General
You need to log in before you can comment on or make changes to this bug.