Re: Make stable-security build logs public after embargo

To: Philipp Kern <pkern@debian.org>
Cc: Sylvain Beucler <beuc@beuc.net>, debian-wb-team@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Make stable-security build logs public after embargo
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 3 Jun 2023 12:58:58 +0200
Message-id: <[🔎] ZHsc8im9g3n+RBqy@eldamar.lan>
Mail-followup-to: Philipp Kern <pkern@debian.org>, Sylvain Beucler <beuc@beuc.net>, debian-wb-team@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian LTS <debian-lts@lists.debian.org>
In-reply-to: <[🔎] a6f91f85-4a42-e3e2-5c15-2d47387c4aee@philkern.de>
References: <[🔎] 8d365ad0-ebc2-b846-dc4c-b822c97f4e80@beuc.net> <[🔎] a6f91f85-4a42-e3e2-5c15-2d47387c4aee@philkern.de>

Hi,

On Sat, Jun 03, 2023 at 10:55:08AM +0200, Philipp Kern wrote:
> Hi,
> 
> On 01.06.23 16:51, Sylvain Beucler wrote:
> > I'm part of the Debian LTS Team, and along with the Security Team, we're
> > looking into making embargo'd build logs eventually public.
> > See https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/51
> > 
> > Typical use case: when the LTS Team is working on the first LTS security
> > upload for buster-security, the previous build logs are not available,
> > while they are critical to interpret any new build failure.
> > This also improves the overall transparency of the Debian project.
> > 
> > So we'd like to make the stable-security build logs eventually public,
> > preferably early. One approach is to make the build logs available
> > through https://buildd.debian.org/status/package.php on package release
> > (when the embargoes for the package and possibly its dependencies are
> > lifted, and the new packages are publicly distributed by Debian).
> > Another more straightforward approach, but way more delayed, is to make
> > these build logs available in batch, when handing over oldstable to the
> > LTS team.
> > 
> > Note: the new lts (buster-security) build logs are already made public,
> > here we're targeting future-lts (bullseye-security) build logs.
> > 
> > Currently we're not entirely sure on how build logs are injected to the
> > buildd.debian.org/status/package.php service, so we're contacting you to
> > determine how feasible this is. Typically:
> > - Locate and identify publishable logs (in e-mail archives on master?)
> > - Trigger the publication at the right time (dak hook?)
> > 
> > I also volunteer to spend some time on the implementation, as part of my
> > work on LTS.
> > 
> > Do you think this can be achieved, and how?
> 
> Right now we (wanna-build/buildd maintainers) do not have access to the logs
> at all. They are sent directly to logs@security.d.o, where they are
> presumably just distributed to team members. Maybe they are archived, I
> cannot tell - in which case we might be able to (re)inject them.

The mails are forwarded from there to the archive on master. What I
can immagine is that they could be stored as well on security-master
itself for a potential dak hook, for instance as possible idea.

> As far as I can see there is no access control on buildd.d.o when it comes
> to logs: You just need to know the timestamp of the log. So if the
> wanna-build state is available to buildd.d.o/status, I'd imagine that the
> links to the logs would just show up if we were to inject them.

How can they be reinjected?

Regards,
Salvatore

Reply to:

References:
- Make stable-security build logs public after embargo
  - From: Sylvain Beucler <beuc@beuc.net>
- Re: Make stable-security build logs public after embargo
  - From: Philipp Kern <pkern@debian.org>

Prev by Date: Re: Make stable-security build logs public after embargo
Next by Date: Please create chroots for bookworm-backports
Previous by thread: Re: Make stable-security build logs public after embargo
Next by thread: Please create chroots for bookworm-backports
Index(es):
- Date
- Thread