Hi, On Sat, Jun 03, 2023 at 10:55:08AM +0200, Philipp Kern wrote: > Hi, > > On 01.06.23 16:51, Sylvain Beucler wrote: > > I'm part of the Debian LTS Team, and along with the Security Team, we're > > looking into making embargo'd build logs eventually public. > > See https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/51 > > > > Typical use case: when the LTS Team is working on the first LTS security > > upload for buster-security, the previous build logs are not available, > > while they are critical to interpret any new build failure. > > This also improves the overall transparency of the Debian project. > > > > So we'd like to make the stable-security build logs eventually public, > > preferably early. One approach is to make the build logs available > > through https://buildd.debian.org/status/package.php on package release > > (when the embargoes for the package and possibly its dependencies are > > lifted, and the new packages are publicly distributed by Debian). > > Another more straightforward approach, but way more delayed, is to make > > these build logs available in batch, when handing over oldstable to the > > LTS team. > > > > Note: the new lts (buster-security) build logs are already made public, > > here we're targeting future-lts (bullseye-security) build logs. > > > > Currently we're not entirely sure on how build logs are injected to the > > buildd.debian.org/status/package.php service, so we're contacting you to > > determine how feasible this is. Typically: > > - Locate and identify publishable logs (in e-mail archives on master?) > > - Trigger the publication at the right time (dak hook?) > > > > I also volunteer to spend some time on the implementation, as part of my > > work on LTS. > > > > Do you think this can be achieved, and how? > > Right now we (wanna-build/buildd maintainers) do not have access to the logs > at all. They are sent directly to logs@security.d.o, where they are > presumably just distributed to team members. Maybe they are archived, I > cannot tell - in which case we might be able to (re)inject them.
The mails are forwarded from there to the archive on master. What I can immagine is that they could be stored as well on security-master itself for a potential dak hook, for instance as possible idea. > As far as I can see there is no access control on buildd.d.o when it comes > to logs: You just need to know the timestamp of the log. So if the > wanna-build state is available to buildd.d.o/status, I'd imagine that the > links to the logs would just show up if we were to inject them. How can they be reinjected? Regards, Salvatore
