Hi,
On 01.06.23 16:51, Sylvain Beucler wrote:
I'm part of the Debian LTS Team, and along with the Security Team, we're
looking into making embargo'd build logs eventually public.
See https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/51
Typical use case: when the LTS Team is working on the first LTS security
upload for buster-security, the previous build logs are not available,
while they are critical to interpret any new build failure.
This also improves the overall transparency of the Debian project.
So we'd like to make the stable-security build logs eventually public,
preferably early. One approach is to make the build logs available
through https://buildd.debian.org/status/package.php on package release
(when the embargoes for the package and possibly its dependencies are
lifted, and the new packages are publicly distributed by Debian).
Another more straightforward approach, but way more delayed, is to make
these build logs available in batch, when handing over oldstable to the
LTS team.
Note: the new lts (buster-security) build logs are already made public,
here we're targeting future-lts (bullseye-security) build logs.
Currently we're not entirely sure on how build logs are injected to the
buildd.debian.org/status/package.php service, so we're contacting you to
determine how feasible this is. Typically:
- Locate and identify publishable logs (in e-mail archives on master?)
- Trigger the publication at the right time (dak hook?)
I also volunteer to spend some time on the implementation, as part of my
work on LTS.
Do you think this can be achieved, and how?
Right now we (wanna-build/buildd maintainers) do not have access to the
logs at all. They are sent directly to logs@security.d.o, where they are
presumably just distributed to team members. Maybe they are archived, I
cannot tell - in which case we might be able to (re)inject them.
As far as I can see there is no access control on buildd.d.o when it
comes to logs: You just need to know the timestamp of the log. So if the
wanna-build state is available to buildd.d.o/status, I'd imagine that
the links to the logs would just show up if we were to inject them.
Kind regards
Philipp Kern
