Package: devscripts
Severity: wishlist
X-Debbugs-CC: Philiip Kern <[email protected]>, [email protected]
Please add a new script for contributors to do self-service give-backs
from the command-line, perhaps something like this:
wanna-build-sso gb --packages foo bar baz --architectures amd64 i386 --suites unstable experimental
Here is a copy of the announcement and blog post for your reference:
https://lists.debian.org/msgid-search/[email protected]
Self-service buildd givebacks
-----------------------------
Philipp Kern has created[1] an *experimental* service that allows Debian
members to perform self-service retries of failed package builds (aka
give-backs). This service aims to reduce the time it takes for give-back
requests to be processed, which was done manually by the wanna-build
admins until now. The service is authenticated using the Debian Single
Signon[2] service. Debian members are still expected to act responsibly
when looking at build failures; do your due diligence and try reproducing
the issue on a porterbox first. Access to this service is logged and logs
will be audited by the admins.
-- Paul Wise
[1] https://debblog.philkern.de/2019/08/alpha-self-service-buildd-givebacks.html
[2] https://sso.debian.org/https://debblog.philkern.de/2019/08/alpha-self-service-buildd-givebacks.html
Alpha: Self-service buildd givebacks
Builds on Debian's build farm sometimes fail transiently. Sometimes
those failures are legitimate flakes, for instance when an in-
progress build happens to exhaust its resources because of other
builds on the same machine. Until now, you always needed to mail the
buildd, wanna-build admins or the Release Team directly in order to
get the builds re-queued.
As an alpha trial I implemented self-service givebacks as a web
script. As SSO for Debian developers is now a thing, it is trivial
to add authentication in a way that a role account can use to act on
your behalf. While at work this would all be an RPC service, I
figured that a little CGI script would do the job just as well. So
lo and behold, accessing
https://buildd.debian.org/auth/giveback.cgi?pkg=<package>&suite=<suite>&arch=<arch>
with the right parameters set:
You are authenticated as pkern. ✓
Working on package fife, suite sid and architecture mipsel. ✓
Package version 0.4.2-1 in state Build-Attempted, can be given back. ✓
Successfully given back the package. ✓
Note that you need to be a Debian developer with a valid SSO client
certificate to access this service.
So why do I say alpha? We still expect Debian developers to act
responsibly when looking at build failures. A lot of times there is
a legitimate bug in the package and the last thing we would like to
see as a project is someone addressing flakiness by continuously
retrying a build. Access to this service is logged. Most people
coming to us today did their due diligence and tried reproducing the
issue on a porterbox. We still expect these things to happen but
this aims to cut on the round-trip time until an admin gets around
to process your request, which have been longer than necessary
recently. We will audit the logs and see if particular packages
stand out.
There can also still be bugs. Please file them against
buildd.debian.org when you see them. Please include a copy of the
output, which includes validation and important debugging
information when requests are rejected. Also this all only works for
packages in Build-Attempted. If the build has been marked as Failed
(which is a manual process), you still need to mail us. And lastly
the API can still change. Luckily the state change can only happen
once, so it's not much of a problem for the GET request to be
retried. But it should likely move to POST anyhow. In that case I
will update this post to reflect the new behavior.
Thanks to DSA for making sure that I run the service sensibly using
a dedicated role account as well as WSGI and doing the work to set
up the necessary bits.
--
bye,
pabs
https://wiki.debian.org/PaulWise
user [email protected]
usertags 940930 new
tags 940930 moreinfo
thanks
On Sun, Sep 22, 2019 at 12:14:28PM +0800, Paul Wise wrote:
> Please add a new script for contributors to do self-service give-backs
> from the command-line, perhaps something like this:
>
> wanna-build-sso gb --packages foo bar baz --architectures amd64 i386 --suites unstable experimental
For the log, there is already one tool that uses SSO to authenticate,
namely `nmcli`, used by FD, DAM, etc to query stuff on nm.d.o.
Also, I wrote a thing (incompleted) to be able to schedule builds on
tests.reproducible-builds.org, also using SSO client certificates.
But, the future of SSO is currently uncertain, I prefer if the Debian
SSO would first finish their thing, and assure me that client
certificates will stay, as it's currenly not at all clear.
I don't want to include a tool in devscripts, that may already start
failing in 1 or 2 years. Till then, I consider this request stalled
with "moreinfo".
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
Acknowledgement sent
to Paul Wise <[email protected]>:
Extra info received and forwarded to list. Copy sent to Devscripts Maintainers <[email protected]>.
(Mon, 23 Sep 2019 02:06:03 GMT) (full text, mbox, link).
On Sun, 2019-09-22 at 14:17 +0200, Mattia Rizzolo wrote:
> assure me that client certificates will stay
I guess that depends entirely on when browsers delete their support for
client certificates. They've been breaking them more and more over time.
--
bye,
pabs
https://wiki.debian.org/PaulWise
On Mon, Sep 23, 2019 at 10:02:06AM +0800, Paul Wise wrote:
> On Sun, 2019-09-22 at 14:17 +0200, Mattia Rizzolo wrote:
>
> > assure me that client certificates will stay
>
> I guess that depends entirely on when browsers delete their support for
> client certificates. They've been breaking them more and more over time.
Haven't both chromium and firefox already dropped it? At least chromium
did it more than a year ago, but it's quite easy to issue a new cert by
using openssl manually.
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
Acknowledgement sent
to Paul Wise <[email protected]>:
Extra info received and forwarded to list. Copy sent to Devscripts Maintainers <[email protected]>.
(Mon, 23 Sep 2019 23:51:04 GMT) (full text, mbox, link).
On Mon, 2019-09-23 at 14:16 +0200, Mattia Rizzolo wrote:
> Haven't both chromium and firefox already dropped it? At least
> chromium did it more than a year ago, but it's quite easy to issue a
> new cert by using openssl manually.
I don't know about Chromium but I can still login to Debian services
using client certificates in Firefox.
--
bye,
pabs
https://wiki.debian.org/PaulWise
Acknowledgement sent
to Mattia Rizzolo <[email protected]>:
Extra info received and forwarded to list. Copy sent to Devscripts Maintainers <[email protected]>.
(Tue, 24 Sep 2019 06:15:06 GMT) (full text, mbox, link).
On Tue, 24 Sep 2019, 1:47 am Paul Wise, <[email protected]> wrote:
> I don't know about Chromium but I can still login to Debian services
> using client certificates in Firefox.
>
*Using* the certs still works everywhere and I suspect it will for a very
long time, given how many institutions use them.
What is being removed is the part producing the certs.
>
>
Acknowledgement sent
to Paul Wise <[email protected]>:
Extra info received and forwarded to list. Copy sent to Devscripts Maintainers <[email protected]>.
(Tue, 24 Sep 2019 10:18:04 GMT) (full text, mbox, link).
On Tue, 2019-09-24 at 08:13 +0200, Mattia Rizzolo wrote:
> *Using* the certs still works everywhere and I suspect it will for a
> very long time, given how many institutions use them.
> What is being removed is the part producing the certs.
Given how they intentionally make support for them worse over time and
don't improve the terrible UI situation, it seems very likely they are
going to work towards removing them from browsers completely.
I'm tempted to file an issue proposing a removal timeline myself just
so that there is a decision about whether to support or remove them.
--
bye,
pabs
https://wiki.debian.org/PaulWise
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.