Debian Bug report logs - #929397
ftp.d.o: please upload LTS .buildinfo files to ftp-master

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ftp.d.o: please upload LTS .buildinfo files to ftp-master

Date: Wed, 22 May 2019 20:47:09 +0200

[Message part 1 (text/plain, inline)]

Package: ftp.debian.org
Severity: wishlist

hi,

from #-security today:

          * | h01ger wonders how to tackle #862538
 zwiebelbot | (#debian-security) Debian#862538: security.debian.org: Please
              POST .buildinfo files to buildinfo.debian.net
	      - https://bugs.debian.org/862538
   <h01ger> | for ftp.d.o there's a cronjob running as my user on coccia.d.o,
              which surely is a hack, but works for now. with security.d.o 
	      i have little  idea how to implement this, as i dont know how
	      embargoed updates get published and whether we could hook in
	      then+their somehow
   <ansgar> | h01ger: Well, they do get uploaded to ftp-master after some time.
   <h01ger> | oh, really? so this bug is moot? do you have an example?
   <ansgar> | h01ger: Hmm, though LTS doesn't get pushed to ftp-master. 
              But everything merged into stable releases just gets uploaded
	      to ftp-master, so .buildinfo should be available
     <adsb> | for variable amounts of "some time" :)


Besides #862538 there are also #862073 and #763822 which are all related
but slightly different details. (and as indicated, we have a workaround for
#862073 which publishes .buildinfo files to both buildinfo.debian.net as 
well as buildinfos.debian.net...
and if you ever forget the details we maintain an overview at
https://wiki.debian.org/ReproducibleBuilds#Big_outstanding_issues )

This new bug shall just be about not copying the .buildinfo files from LTS
uploads to ftp-master.d.o.

Also please note that this bug will only become relevant when Stretch
becomes LTS as only dpkg from stretch (and newer) produces .buildinfo
files.

Thanks!


-- 
tschau,
	Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

we'll all die. make a difference while you can. disobey. smile.

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 929397@bugs.debian.org (full text, mbox, reply):

From: "Chris Lamb" <lamby@debian.org>

To: "Holger Levsen" <holger@debian.org>, 929397@bugs.debian.org

Subject: Re: Bug#929397: ftp.d.o: please upload LTS .buildinfo files to ftp-master

Date: Thu, 23 May 2019 07:22:57 +0100

Hi Holger,

>    <h01ger> | for ftp.d.o there's a cronjob running as my user on coccia.d.o,
>               which surely is a hack, but works for now. […]

Would a "clean" dak-based solution…

> Also please note that this bug will only become relevant when Stretch
> becomes LTS as only dpkg from stretch (and newer) produces .buildinfo
> files.

… mean this is easily implemented for LTS too by "simply" updating the
version of dak to this hypothetical version?


Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-

Message #15 received at 929397@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Chris Lamb <lamby@debian.org>

Cc: 929397@bugs.debian.org

Subject: Re: Bug#929397: ftp.d.o: please upload LTS .buildinfo files to ftp-master

Date: Fri, 24 May 2019 22:03:51 +0000

[Message part 1 (text/plain, inline)]

Hi Chris,

On Thu, May 23, 2019 at 07:22:57AM +0100, Chris Lamb wrote:
> >    <h01ger> | for ftp.d.o there's a cronjob running as my user on coccia.d.o,
> >               which surely is a hack, but works for now. […]
> Would a "clean" dak-based solution…
> > Also please note that this bug will only become relevant when Stretch
> > becomes LTS as only dpkg from stretch (and newer) produces .buildinfo
> > files.
> … mean this is easily implemented for LTS too by "simply" updating the
> version of dak to this hypothetical version?

I don't think so, but I really don't know that much about dak and how
it's set up.

But since filing this bug one thing has occured to me: Debian LTS
uploads now go to security-master, thus this is more or less the same
problem as "#862538: security.debian.org: Please POST .buildinfo files
to buildinfo.debian.net".


-- 
tschau,
	Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 929397@bugs.debian.org (full text, mbox, reply):

From: "Chris Lamb" <lamby@debian.org>

To: "Holger Levsen" <holger@layer-acht.org>

Cc: 929397@bugs.debian.org

Subject: Re: Bug#929397: ftp.d.o: please upload LTS .buildinfo files to ftp-master

Date: Sun, 26 May 2019 11:14:29 +0100

Holger Levsen wrote:

> > >    <h01ger> | for ftp.d.o there's a cronjob running as my user on coccia.d.o,
> > >               which surely is a hack, but works for now. […]
> >
> > Would a "clean" dak-based solution…
> >
> > > Also please note that this bug will only become relevant when Stretch
> > > becomes LTS as only dpkg from stretch (and newer) produces .buildinfo
> > > files.
> >
> > … mean this is easily implemented for LTS too by "simply" updating the
> > version of dak to this hypothetical version?
> 
> I don't think so, but I really don't know that much about dak and how
> it's set up.

Can you clarify your "don't think so"? Note that I was talking about a
hypothetical improved/patched version of dak that had native support
for publishing .buildinfo files, not the current one.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-

Message #25 received at 929397@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Chris Lamb <lamby@debian.org>

Cc: 929397@bugs.debian.org

Subject: Re: Bug#929397: ftp.d.o: please upload LTS .buildinfo files to ftp-master

Date: Mon, 27 May 2019 10:24:53 +0000

[Message part 1 (text/plain, inline)]

On Sun, May 26, 2019 at 11:14:29AM +0100, Chris Lamb wrote:
> Can you clarify your "don't think so"? Note that I was talking about a
> hypothetical improved/patched version of dak that had native support
> for publishing .buildinfo files, not the current one.

well, sure, a hypothetical improved/patched version of dak can do
anything and also has the feature to only release .buildinfo files once
the package/bug is unembargoed. 

(the underlying problem with the security (and thus the LTS) archive is 
that it might contain fixes for issues still under CVE-embargo, thus
these (and their mere existance) must not become public before they may
become public.)


-- 
tschau,
	Holger

-------------------------------------------------------------------------------
               holger@(debian|reproducible-builds|layer-acht).org
       PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.