commit 9a6016c2649ff2980b556b3e82134ea99161efea
Merge: 05d81db8a 0db9f599a
Author: Colin Watson <cjwatson@debian.org>
Date: Fri Jun 19 09:07:38 2026 +0000
Add an integration test for repository access tokens (MR !3159)
Fixes: #1392
Closes #1392
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3159
commit 05d81db8a0a0e57b27ad5ecfd2c4db5745c34c45
Merge: 1310f84e1 e9a94bf94
Author: Stefano Rivera <stefanor@debian.org>
Date: Thu Jun 18 22:23:20 2026 +0000
Build a debusine-client OCI image (MR !3138)
A fairly simple image using our `trixie-backport` packages from Debian.
There is a test image available here: `registry.salsa.debian.org/stefanor/debusine/debusine-client:latest`
Fixes: #1474
Closes #1474
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3138
commit e9a94bf947f7b8c713e9093d85bd6d9670f32c44
Author: Stefano Rivera <stefano@freexian.com>
Date: Thu Jun 11 16:40:47 2026 -0400
Build a docker-client OCI image
commit 0db9f599a7b247793953b1b53492d643e1a356ee
Author: Colin Watson <cjwatson@debian.org>
Date: Thu Jun 18 10:33:37 2026 +0100
Add an integration test for repository access tokens
Fixes: #1392
commit 1310f84e1e4bce2f3228a37ad1ddc6fe01ad2b56
Merge: 1facb2987 96996686c
Author: Colin Watson <cjwatson@debian.org>
Date: Wed Jun 17 16:27:20 2026 +0000
Enforce per-collection display permissions in archive views (MR !3151)
This includes accepting external user tokens with suitable grants (part
of #1392).
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3151
commit 1facb29876a98157aa6a9353b7e305841adf1be4
Merge: c9b349812 31c54a48e
Author: Colin Watson <cjwatson@debian.org>
Date: Wed Jun 17 16:26:56 2026 +0000
Add `debusine archive token` commands (MR !3157)
These are more specific than the underlying API (which can operate on
any collection), but this is all we need at the moment, and having the
CLI be more specific helps to make it easier to understand. See
https://salsa.debian.org/freexian-team/debusine/-/work_items/1392#note_738221
and thread.
Part of #1392.
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3157
commit 96996686c7b80dd774707f34956b3af77fc0f54b
Author: Colin Watson <cjwatson@debian.org>
Date: Mon Jun 15 10:10:48 2026 +0100
Enforce per-collection display permissions in archive views
This includes accepting external user tokens with suitable grants (part
of #1392).
commit c9b3498123999d185f2d3361893d00d7bd5fa45e
Merge: f3b970bad f03634602
Author: Colin Watson <cjwatson@debian.org>
Date: Wed Jun 17 15:28:20 2026 +0000
Finish merging ArtifactInfo into InputArtifactSingle (MR !3158)
The workarounds needed to cope with some of its fields being nullable
are pretty small, and seem worth it to simplify the class hierarchy.
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3158
commit f03634602f01b158a96839dc6f5e6f3aa2a253b3
Author: Colin Watson <cjwatson@debian.org>
Date: Wed Jun 17 14:43:21 2026 +0100
Finish merging ArtifactInfo into InputArtifactSingle
The workarounds needed to cope with some of its fields being nullable
are pretty small, and seem worth it to simplify the class hierarchy.
commit 2f10cfeef5eeab5ef570bab5bb4dc3ff057be8ce
Author: Colin Watson <cjwatson@debian.org>
Date: Wed Jun 17 14:25:47 2026 +0100
Fix DebDiffTests source_artifacts to match the input field
commit ed09a6b5471ebf3063c898fbada19501857a3a86
Author: Colin Watson <cjwatson@debian.org>
Date: Wed Jun 17 14:01:56 2026 +0100
Remove ArtifactInfo.id compatibility alias
commit 31c54a48e301d822779cbabbdac070b44a635919
Author: Colin Watson <cjwatson@debian.org>
Date: Wed Jun 17 11:13:07 2026 +0100
Add `debusine archive token` commands
These are more specific than the underlying API (which can operate on
any collection), but this is all we need at the moment, and having the
CLI be more specific helps to make it easier to understand. See
https://salsa.debian.org/freexian-team/debusine/-/work_items/1392#note_738221
and thread.
Part of #1392.
commit f3b970badd2af00ce49ab28755f9ac740fa810d0
Merge: 14d339d3f 4691528b5
Author: Colin Watson <cjwatson@debian.org>
Date: Wed Jun 17 09:12:13 2026 +0000
Add an API to manage collection token grants (MR !3152)
Part of #1392.
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3152
commit 4691528b55a9a03f59e4eeb4315e6191666aed6a
Author: Colin Watson <cjwatson@debian.org>
Date: Mon Jun 15 10:20:39 2026 +0100
Add an API to manage collection token grants
Part of #1392.
commit 14d339d3fddedc21965680b831c9e438662e3dff
Merge: 6a8d7eef2 d76020036
Author: Stefano Rivera <stefanor@debian.org>
Date: Tue Jun 16 22:51:45 2026 +0000
Blueprint for live log streaming (MR !3040)
I added a development blueprint for live log streaming.
Work item: #854
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3040
commit d76020036dc7e28b3b17b557ccf54b1ae36a8616
Author: Mohamed Ashraf <mohamed.code.13@gmail.com>
Date: Tue Jun 16 22:51:44 2026 +0000
add live log streaming blueprint
commit 6a8d7eef2aa4f3b477e173f8655b82005a19c68c
Merge: a0f5da9a4 50d020e3b
Author: Colin Watson <cjwatson@debian.org>
Date: Tue Jun 16 22:40:30 2026 +0000
Wrap `debusine-admin worker create` in a transaction (MR !3156)
I'm not sure why this only caused integration test failures occasionally
rather than every time, but life's too short.
Fixes: #1503
Closes #1503
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3156
commit 50d020e3b32a5617e694046caf36e2df6b31444f
Author: Colin Watson <cjwatson@debian.org>
Date: Tue Jun 16 22:19:36 2026 +0100
Wrap `debusine-admin worker create` in a transaction
I'm not sure why this only caused integration test failures occasionally
rather than every time, but life's too short.
Fixes: #1503
commit a0f5da9a4bdf8f8ae48f7bed919170a5d8c66742
Merge: b7b4ecbe7 7938ce2bd
Author: Stefano Rivera <stefanor@debian.org>
Date: Tue Jun 16 10:12:36 2026 +0000
debian-pipeline doc: Flesh out the bullet point describing enable_confirmation's confirm task (MR !3154)
Fixes: #1504
Closes #1504
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3154
commit b7b4ecbe78d0b2de96583c67c35c42ad3c63c6e9
Merge: 1c08e0649 96c2663da
Author: Colin Watson <cjwatson@debian.org>
Date: Tue Jun 16 09:24:29 2026 +0000
Implement `WorkflowTemplate.restricted` flag (MR !3155)
Part of #634.
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3155
commit 96c2663daa6b41744d9938560466c06009a1b456
Author: Colin Watson <cjwatson@debian.org>
Date: Mon Jun 15 22:05:20 2026 +0100
Implement `WorkflowTemplate.restricted` flag
Part of #634.
commit 7938ce2bdb77f493d9ae2bfaf82a4d37f214c499
Author: Stefano Rivera <stefano@freexian.com>
Date: Mon Jun 15 15:58:08 2026 -0400
debian-pipeline doc: Flesh out the bullet point describing enable_confirmation's confirm task
Fixes: #1504
commit 1c08e0649cde5c09c921005a8171ca4ee2af7ef4
Merge: 0eee1147a 0df1b47e2
Author: Stefano Rivera <stefanor@debian.org>
Date: Mon Jun 15 18:48:42 2026 +0000
Gracefully ignore missing orphan files during vacuum-storage cleanup. (MR !3137)
Refactor the `FileBackendEntryInterface.get_mtime` API to return `None` if a file cannot be found in the backend.
Fixes: #1478
Closes #1478
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3137
commit ca39efe9353198479b8f8128616988907cd6c99f
Author: Colin Watson <cjwatson@debian.org>
Date: Mon Jun 15 18:00:13 2026 +0100
Fix some uses of assertPermissionWhenRole
commit 0eee1147affa5bc466bbce849ea29b6d50d0ed03
Merge: abf9be590 ebdd20653
Author: Stefano Rivera <stefanor@debian.org>
Date: Mon Jun 15 14:38:23 2026 +0000
Delay notifying the worker that a work request is available, until the transaction has committed. (MR !3148)
Fixes: #1030
Closes #1030
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3148
commit abf9be5901dcff39d619402c3be5e29cb9306c28
Merge: 31d0e06f5 217b47dd8
Author: Colin Watson <cjwatson@debian.org>
Date: Mon Jun 15 14:29:30 2026 +0000
Improve HTTPS setup in integration tests (MR !3150)
`trustme` makes it fairly straightforward to create a certificate with a
`subjectAltName` for the `deb.*` subdomain, which will be needed in
order to test private repository access tokens (#1392).
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3150
commit 31d0e06f53699e439f572b7ae26357d30279cc45
Merge: a2928f416 1eb3653d5
Author: Stefano Rivera <stefanor@debian.org>
Date: Mon Jun 15 14:01:44 2026 +0000
Expand documentation on package_upload.require_signature (MR !3139)
We cover some of this detail in debian_pipeline, but not package_upload.
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3139
commit ebdd206533a5c65369a8caa4680e0d5f454fb6cf
Author: Stefano Rivera <stefano@freexian.com>
Date: Sun Jun 14 13:54:19 2026 -0400
Delay notifying the worker that a work request is available, until the transaction has committed.
Fixes: #1030
commit a2928f416513cac5638e8dec5ba109341a5fb99e
Merge: 3f26c8100 b4785d489
Author: Colin Watson <cjwatson@debian.org>
Date: Mon Jun 15 13:39:29 2026 +0000
ruff: Sort python-debian imports properly (MR !3153)
`ruff` notices the local `debian/` directory and thinks that means that
the Python `debian` package is first-party. Teach it otherwise.
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3153
commit b4785d4898086cf00eea2cdfeb29dceff3091f52
Author: Colin Watson <cjwatson@debian.org>
Date: Mon Jun 15 13:26:10 2026 +0100
ruff: Sort python-debian imports properly
`ruff` notices the local `debian/` directory and thinks that means that
the Python `debian` package is first-party. Teach it otherwise.
commit 3f26c8100bdd909b492a411842638ad957e9457d
Merge: 30832bc41 209382148
Author: Colin Watson <cjwatson@debian.org>
Date: Mon Jun 15 10:30:13 2026 +0000
Add collection token grants (MR !3131)
These can grant external user tokens the ability to view specific
private collections.
Part of #1392.
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3131
commit 30832bc41f290b37548a319c8305a47b7b5b1bd6
Merge: cc82f5c52 ee79cd902
Author: Stefano Rivera <stefanor@debian.org>
Date: Mon Jun 15 10:26:24 2026 +0000
Set TMPDIR within the working directory when executing tasks (MR !3143)
On trixie, `/tmp` is a tmpfs by default, which typically isn't big
enough for sbuild unshare tasks.
Fixes: #1464
Closes #1464
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3143
commit cc82f5c525673b751be967acd6f74848bccf1b54
Merge: f2cc5ac0d a81118335
Author: Stefano Rivera <stefanor@debian.org>
Date: Mon Jun 15 10:26:07 2026 +0000
Retry transactions in delete_expired (MR !3144)
Requires some refactoring.
Closes #1446
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3144
commit 2093821489ca783df74c666bf9407e5c11162ca9
Author: Colin Watson <cjwatson@debian.org>
Date: Wed Jun 10 13:22:23 2026 +0100
Add collection token grants
These can grant external user tokens the ability to view specific
private collections.
Part of #1392.
commit 217b47dd88627c5eabe010db184de31c5d1b4224
Author: Colin Watson <cjwatson@debian.org>
Date: Sun Jun 14 23:34:55 2026 +0100
Improve HTTPS setup in integration tests
`trustme` makes it fairly straightforward to create a certificate with a
`subjectAltName` for the `deb.*` subdomain, which will be needed in
order to test private repository access tokens (#1392).
commit f2cc5ac0d71d71a3dc2619bbfdcda9b2868a12a4
Merge: 4a6859827 98b6f566c
Author: Stefano Rivera <stefanor@debian.org>
Date: Sun Jun 14 20:31:30 2026 +0000
Sort WorkflowTemplateSerializer.extra_groups (MR !3142)
Fixes: #1502
Closes #1502
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3142
commit 4a68598277f4b7b6bd9162e23e40f500623890b5
Merge: 20e40cdc8 f620c222e
Author: Stefano Rivera <stefanor@debian.org>
Date: Sun Jun 14 20:31:14 2026 +0000
Avoid truncating workflow template validation errors when launching workflows (MR !3145)
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3145
commit 20e40cdc8bbeee7321a4468640743e8d8594632f
Merge: 50c5d4036 be0da7387
Author: Stefano Rivera <stefanor@debian.org>
Date: Sun Jun 14 20:30:51 2026 +0000
Add gpgv_command option to bootstrap_options (MR !3146)
Allow bootstrapping older releases that rely on SHA1 signatures with `gpgv`.
Fixes: #1340
Closes #1340
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3146
commit 50c5d4036b8c5dc20334686896c8d3dff2f9ad79
Merge: b9521c134 8489ea62b
Author: Stefano Rivera <stefanor@debian.org>
Date: Sun Jun 14 20:30:40 2026 +0000
Update YubiHSM 2 links again (MR !3147)
Most of these are trivial, but the quick start guide lost the subsection we were referring to completely (not that there was much there).
Updating from: https://web.archive.org/web/20260328214049/https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-quick-start.html
To: https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-quick-start.html
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3147
commit 8489ea62b4c1aea0e6a413ce822783f20538f1aa
Author: Stefano Rivera <stefano@freexian.com>
Date: Sun Jun 14 08:42:52 2026 -0400
Update YubiHSM 2 links again
commit f620c222e4c69794300fda14304c93babcc81851
Author: Stefano Rivera <stefano@freexian.com>
Date: Sat Jun 13 16:55:37 2026 -0400
Avoid truncating workflow template validation errors when launching workflows.
commit be0da73870c7dad633a16ab804fee93042eb6275
Author: Stefano Rivera <stefano@freexian.com>
Date: Sat Jun 13 18:46:41 2026 -0400
Add gpgv_command option to bootstrap_options
Allow bootstrapping older releases that rely on SHA1 signatures with `gpgv`.
Fixes: #1340
commit a81118335a058b2f54a6c94a6cb77d2de1a30463
Author: Stefano Rivera <stefano@freexian.com>
Date: Sat Jun 13 14:24:36 2026 -0400
Retry transactions in debusine-admin delete_expired
Fixes: #1446
commit 4cabe41b9f0034f6deb63426b9a258db3b0a271d
Author: Stefano Rivera <stefano@freexian.com>
Date: Sat Jun 13 15:08:17 2026 -0400
Move tests to TransactionTestCase variants
commit 744e573065d43169155ef5293f42c6b3491fe2a8
Author: Stefano Rivera <stefano@freexian.com>
Date: Sat Jun 13 14:21:43 2026 -0400
Refactor delete_expired to avoid @pgtransaction.atomic context managers
The context manager form doesn't support retrying if we hit a
serialization error.
In the process, break up into smaller transactions.
commit ee79cd9021b286f3cfa3cd9187bc7950c2f8ae24
Author: Stefano Rivera <stefano@freexian.com>
Date: Sat Jun 13 11:45:40 2026 -0400
Use the worker environment override to set XZ_OPT
commit 0e410b818ac6eb37f90bb29f1b2ff9eb41b6f8ba
Author: Stefano Rivera <stefano@freexian.com>
Date: Sat Jun 13 11:43:13 2026 -0400
Config mechanism to override worker environment variables
commit 651350fb9239870c6701e28f413342ca325ea52e
Author: Stefano Rivera <stefano@freexian.com>
Date: Fri Jun 12 18:09:22 2026 -0400
Set TMPDIR within the working directory when executing tasks
On trixie, `/tmp` is a tmpfs by default, which typically isn't big
enough for sbuild unshare tasks.
Fixes: #1464
commit 759a87c049f8e117c8bcead4ec5c40356c175fd0
Author: Stefano Rivera <stefano@freexian.com>
Date: Sun May 24 10:53:27 2026 -0400
Execute tasks under a minimal environment (only PATH)
commit 98b6f566cb0446feb04e5d70e36f41db8122bc6c
Author: Stefano Rivera <stefano@freexian.com>
Date: Fri Jun 12 12:02:52 2026 -0400
Sort WorkflowTemplateSerializer.extra_groups
Fixes: #1502
commit 1eb3653d584ffec904b2229c803faddeb9aa0a22
Author: Stefano Rivera <stefano@freexian.com>
Date: Thu Jun 11 18:29:01 2026 -0400
Expand documentation on package_upload.require_signature
We cover some of this detail in debian_pipeline, but not package_upload.
commit b9521c134c13339cbfa229e5c3bc5a67afd09c3e
Merge: fc68de140 af03b1a05
Author: Raphaël Hertzog <hertzog@debian.org>
Date: Fri Jun 12 14:18:49 2026 +0000
docs: update work request scheduling explanation (MR !3141)
this updates the work request scheduling documentation to describe the current tag-based scheduling approach instead of focusing on `task.can_run_on()`.
It also adds a reference to the worker configuration HOWTO and updates the architecture-specific scheduling section to explain architecture tags and worker metadata configuration
Closes #1497
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3141
commit af03b1a05b0c532b71cc0170d368a008fb121a23
Author: Ayush Sharma <ayushhardeniya.grid@gmail.com>
Date: Fri Jun 12 19:48:49 2026 +0530
docs: update work request scheduling explanation
Replace outdated references to `task.can_run_on()` with the current
scheduler tag matching model. Document architecture-specific scheduling
using `worker:build-arch:*` tags and clarify that work requests are
ordered by priority, using age as a tie-breaker
commit 0df1b47e28e82c778d7bb2bcaa0d13c29d447cc0
Author: Stefano Rivera <stefano@freexian.com>
Date: Thu Jun 11 14:19:19 2026 -0400
S3 file backend: Raise NotImplementedError in the case where we should perform an mtime query
commit 92fb049195e14d4d1309f87d031999cbf39ad0d0
Author: Stefano Rivera <stefano@freexian.com>
Date: Thu Jun 11 11:56:45 2026 -0400
Gracefully ignore missing orphan files during `vacuum-storage` cleanup.
Refactor the `FileBackendEntryInterface.get_mtime` API to return `None`
if a file cannot be found in the backend.
Fixes: #1478
commit b02c0d5509d3c560ec6ce60ea02bbfbd7dd06034
Author: Stefano Rivera <stefano@freexian.com>
Date: Thu Jun 11 11:28:33 2026 -0400
Clarify that .remove() should not fail with ENOENT
commit fc68de140882351d69f9d50dd39bf4863c736e61
Merge: 09490c61b af7e3e9b2
Author: Colin Watson <cjwatson@debian.org>
Date: Thu Jun 11 14:58:39 2026 +0000
UploadFileView: Delete FileUploads before returning shortcut 201 (MR !3136)
This can happen if a client retried an upload following a load balancer
timeout (see #1448), in which case concurrent transactions might have
created a `FileUpload` and marked the `FileInArtifact` as complete.
There's no need to keep the `FileUpload` row in this case.
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3136
commit 09490c61b9dbf31d7a9b49a3d1087fddbe05ebbc
Merge: b3270fd7e eab347b16
Author: Colin Watson <cjwatson@debian.org>
Date: Thu Jun 11 14:08:25 2026 +0000
vacuum_storage: Delete redundant FileUploads (MR !3135)
Following client fixes for #1448, we sometimes see leftover `FileUpload`
rows for a complete `FileInArtifact`. These are useless and can safely
be deleted.
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3135
commit af7e3e9b22aac33ff6c958dae35853eb73f16c7b
Author: Colin Watson <cjwatson@debian.org>
Date: Thu Jun 11 14:56:37 2026 +0100
UploadFileView: Delete FileUploads before returning shortcut 201
This can happen if a client retried an upload following a load balancer
timeout (see #1448), in which case concurrent transactions might have
created a `FileUpload` and marked the `FileInArtifact` as complete.
There's no need to keep the `FileUpload` row in this case.
commit eab347b1639641dd0c4177da80aec5845ead87dc
Author: Colin Watson <cjwatson@debian.org>
Date: Thu Jun 11 13:46:35 2026 +0100
vacuum_storage: Delete redundant FileUploads
Following client fixes for #1448, we sometimes see leftover `FileUpload`
rows for a complete `FileInArtifact`. These are useless and can safely
be deleted.
commit b3270fd7ee0a1380d5b70fd02834211931784f32
Merge: 85297db92 82cc83d87
Author: Stefano Rivera <stefanor@debian.org>
Date: Thu Jun 11 02:00:45 2026 +0000
Increase the number of chunk upload attempts (MR !3133)
We observe a number of system image chunks failing to upload repeatedly.
Part of: #1448
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3133
commit 82cc83d87bdabc0df37bdd76e3abc985ab1ddd49
Author: Stefano Rivera <stefano@freexian.com>
Date: Wed Jun 10 19:51:18 2026 -0400
NEWS
commit 93d0ce90e33551dc476fe093bbd8e7278756776a
Author: Stefano Rivera <stefano@freexian.com>
Date: Wed Jun 10 19:50:21 2026 -0400
Use mmap context managers, where possible
commit ca23a24c6ba5409b53d7daca0f2d582dbaa35567
Author: Stefano Rivera <stefano@freexian.com>
Date: Wed Jun 10 19:26:59 2026 -0400
File uploader: Retry 500-series errors
commit 09eed79abaf9374d99c3fe3c38192a119c6f65d8
Author: Stefano Rivera <stefano@freexian.com>
Date: Wed Jun 10 19:18:52 2026 -0400
Increase the number of chunk upload attempts
We observe a number of system image chunks failing to upload repeatedly.
commit 85297db926189f9b3b215d8f35a5155a66c324ca
Merge: d1de66915 1485b8546
Author: Stefano Rivera <stefanor@debian.org>
Date: Wed Jun 10 14:09:00 2026 +0000
Record CVEs in release-history (MR !3132)
We got a pair of CVEs assigned. Record them for posterity.
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3132
commit 1485b8546dd7bca683986f231f53ec6bd7ceeae2
Author: Stefano Rivera <stefano@freexian.com>
Date: Wed Jun 10 08:37:30 2026 -0400
Add CVE (and issue) links for recently filed CVEs
commit d1de66915794907c9ee80249e83a37eae47e7f44
Merge: 1d1abde86 52470e029
Author: Stefano Rivera <stefanor@debian.org>
Date: Wed Jun 10 12:31:11 2026 +0000
Handle 0-sized partial artifact file uploads gracefully (MR !3129)
This is the server side of the issue. The client was confused and sent an empty POST by mistake.
Fixes: #1448
Closes #1448
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3129
commit 1d1abde86f7fb4bd94d7147259b0b6054f6e1fde
Merge: ab3b07112 1bcdd99e2
Author: Colin Watson <cjwatson@debian.org>
Date: Wed Jun 10 00:05:47 2026 +0000
Rewind file when retrying a file upload chunk (MR !3130)
Part of #1448.
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3130
commit 1bcdd99e2b36b95f871655ffa83a25c3943b108c
Author: Colin Watson <cjwatson@debian.org>
Date: Wed Jun 10 00:29:49 2026 +0100
Rewind file when retrying a file upload chunk
Part of #1448.
commit 52470e029a19ff2728d4518327cbc3a293d8d30a
Author: Stefano Rivera <stefano@freexian.com>
Date: Tue Jun 9 18:54:32 2026 -0400
Full reproducer for the issue observed in #1448
commit 645a8c77c074126aa3a27496c03786ec5228faf0
Author: Stefano Rivera <stefano@freexian.com>
Date: Tue Jun 9 18:06:17 2026 -0400
Handle 0-sized partial artifact file uploads gracefully
commit 7bf7c2515d4539eb8c7f81a07c4a0157f207dd29
Author: Colin Watson <cjwatson@debian.org>
Date: Tue Jun 9 23:58:35 2026 +0100
Move Content-Range header preparation to _upload_chunk
commit c233288372149cf9f9d95757aca06597081e55fa
Author: Colin Watson <cjwatson@debian.org>
Date: Tue Jun 9 23:54:53 2026 +0100
Simplify and improve client chunked upload tests
commit ab3b071126306563b58bbf26f41a47dd56ccd88e
Merge: 5b4ef8ba6 7e542bef2
Author: Stefano Rivera <stefanor@debian.org>
Date: Tue Jun 9 16:06:27 2026 +0000
Revive completed parent workflows when retrying sub-workflows (MR !3120)
Otherwise we'll lockup our scheduler, repeatedly trying to schedule a task that we cannot.
Continuation of !3038
Fixes: #1496
Closes #1496
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3120
commit 7e542bef2b5d0d3a4a64d9a820334a09fb04d3f7
Author: Stefano Rivera <stefano@freexian.com>
Date: Sat Jun 6 19:17:49 2026 -0400
Revive completed parent workflows when retrying sub-workflows
Otherwise we'll lockup our scheduler, trying to schedule a task that
cannot complete.
Continuation of !3038
Fixes: #1496
commit 5b4ef8ba65428161c1c512e82dadd9540a0c80ee
Merge: c02067ec4 306b26a41
Author: Colin Watson <cjwatson@debian.org>
Date: Tue Jun 9 11:04:39 2026 +0000
Add external user tokens (MR !3121)
This is a new token type that has a username but does not correspond to
a Debusine user. As a result, it has no inherent permissions beyond
what any anonymous user could do, and it must have explicit grants
associated with it in order to do anything special. No such grants are
implemented yet; those will come in a future merge request.
These will be useful for private repository access tokens (#1392), where
they will amount to username/password pairs (with the password being a
randomly-generated 64-character hexadecimal string, as usual for token
keys) that can be granted the `VIEWER` role on individual private
repositories.
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3121
commit 306b26a41402e6887bafa85cda05c73672ea8ecf
Author: Colin Watson <cjwatson@debian.org>
Date: Sun Jun 7 20:03:47 2026 +0100
Add external user tokens
This is a new token type that has a username but does not correspond to
a Debusine user. As a result, it has no inherent permissions beyond
what any anonymous user could do, and it must have explicit grants
associated with it in order to do anything special. No such grants are
implemented yet; those will come in a future merge request.
These will be useful for private repository access tokens (#1392), where
they will amount to username/password pairs (with the password being a
randomly-generated 64-character hexadecimal string, as usual for token
keys) that can be granted the `VIEWER` role on individual private
repositories.
commit c02067ec447f5997520abc2c98b560a67a7a2ee5
Merge: 2b6b0bac2 0497fa5bf
Author: Colin Watson <cjwatson@debian.org>
Date: Mon Jun 8 23:27:01 2026 +0000
doc: Set html_baseurl (MR !3122)
This adds a `<link rel="canonical" ... />` tag to each page, which
should help search engines understand which version is preferred.
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3122
commit 2b6b0bac2904f1c47c8b6baa902f343e06e5f8c1
Merge: 734dce2e5 a5b79c4a0
Author: Colin Watson <cjwatson@debian.org>
Date: Mon Jun 8 13:20:54 2026 +0000
Document how to run integration tests locally (MR !3118)
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3118
commit 734dce2e5734673458f85ab23c30f27b6559d83a
Merge: 5bb807ed9 a10945265
Author: Colin Watson <cjwatson@debian.org>
Date: Mon Jun 8 13:02:54 2026 +0000
Set gunicorn and Celery defaults to keep memory leaks under control (MR !3117)
Fixes: #1493
Closes #1493
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3117
commit 0497fa5bf353f6825b4d9a186e200fd2477bb459
Author: Colin Watson <cjwatson@debian.org>
Date: Mon Jun 8 12:15:05 2026 +0100
doc: Set html_baseurl
This adds a `<link rel="canonical" ... />` tag to each page, which
should help search engines understand which version is preferred.
commit 5bb807ed9451a35bae5d85c71d9e48fef2cffb42
Merge: 7d432b06c 0890112c0
Author: Colin Watson <cjwatson@debian.org>
Date: Sun Jun 7 22:22:45 2026 +0000
artifacts: add debian:debug-symbols category and DebianDebugSymbols model (MR !3088)
Related to #957, @cjwatson
As discussed, this adds the `debian:debug-symbols` artifact category and the `DebianDebugSymbols` Pydantic model to `debusine/artifacts/models.py`, along with tests covering the 5 cases from the blueprint (valid input, wrong length, uppercase, non-hex, duplicates).
Kept `FileInArtifact.path` as bare build-IDs as you suggested and left out `file_paths` and DWZ support for now as they're out of scope for the initial implementation.
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3088
commit 7d432b06c8cba7bc3c10fa265ebaba99fef1d16e
Merge: cdd4ad4de 08f37f934
Author: Colin Watson <cjwatson@debian.org>
Date: Sun Jun 7 21:30:08 2026 +0000
clarify debuginfod extraction runs on worker, not in sbuild unshare (MR !3119)
Clarify in the debuginfod blueprint that .debug extraction runs on the worker during artifact upload, not inside the sbuild unshare environment. The Requirements section previously said extraction must run "inside the isolated sbuild worker", which contradicted the Implementation plan that describes it as a helper called from \_upload_binary_packages() / upload_artifact() after the build finishes. Rewords the Requirements bullet and the closing paragraph of the extraction section to match the implementation plan. Docs only; no code changes.
Closes: #1476
Closes #1476
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3119
commit 08f37f9344d69a25368df16edd759be29ac58830
Author: Jugal Patel <ui22cs59@iiitsurat.ac.in>
Date: Sat Jun 6 16:54:37 2026 +0000
clarify debuginfod extraction runs on worker, not in sbuild unshare
commit 0890112c057463f74351f9f4e2b3b01404dfa4a3
Author: Jugal Patel <ui22cs59@iiitsurat.ac.in>
Date: Wed May 27 05:27:34 2026 +0000
artifacts: add debian:debug-symbols category and DebianDebugSymbols model
commit cdd4ad4de6c5f284e3629c876a040bbfbec203e3
Merge: d4ad634fd e01e960a9
Author: Colin Watson <cjwatson@debian.org>
Date: Fri Jun 5 16:52:19 2026 +0000
Add roles for collections (MR !3116)
For private repository access tokens (#1392), we'll want the concept of
collections with different visibility rules from their containing
workspace, so that tokens can be granted access to some collections in a
private workspace but not others. Introduce collection roles to support
this.
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3116
commit a5b79c4a0674799fba0bdbfcbd53d02d0c9891f7
Author: Colin Watson <cjwatson@debian.org>
Date: Fri Jun 5 11:36:22 2026 +0100
Document how to run integration tests locally
commit a10945265c863bd664ec291455e51d602af4d776
Author: Colin Watson <cjwatson@debian.org>
Date: Fri Jun 5 11:08:12 2026 +0100
Set gunicorn and Celery defaults to keep memory leaks under control
Fixes: #1493
commit d4ad634fd6949ac772fa0599df4ac8b7903fc653
Merge: 03d30ca06 a47ad3153
Author: Colin Watson <cjwatson@debian.org>
Date: Fri Jun 5 09:57:47 2026 +0000
Add a custom input field for CopyCollectionItems (MR !3102)
This is needed in order to implement a `move` parameter for #1113,
because for that the task needs to have access to richer lookup
information so that it knows which collection the input artifacts were
found in.
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3102
commit e01e960a9937a82b3ae15a0c996775e0dd6b3105
Author: Colin Watson <cjwatson@debian.org>
Date: Thu Jun 4 20:21:06 2026 +0100
Add roles for collections
For private repository access tokens (#1392), we'll want the concept of
collections with different visibility rules from their containing
workspace, so that tokens can be granted access to some collections in a
private workspace but not others. Introduce collection roles to support
this.
commit 03d30ca065b41df7d0f5a8d1e3e92a42c98a810f
Merge: 544a0f907 91f0d970d
Author: Colin Watson <cjwatson@debian.org>
Date: Thu Jun 4 15:20:38 2026 +0000
web: reject worker tokens from web views (MR !3115)
Workers are generally expected to use the API rather than the web UI.
the known exception is `DownloadPathView`, which workers use to
download artifacts.
Add an `allow_worker_tokens` flag to `BaseUIView`, defaulting to
`False`, and enable it for `DownloadPathView`.
also add a test covering the default rejection of worker tokens in web
views
fixes: #1410
Closes #1410
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3115
commit 91f0d970d359fc18fed6ebcb102c7edfbe7b0691
Author: Ayush Sharma <ayushhardeniya.grid@gmail.com>
Date: Thu Jun 4 11:46:31 2026 +0000
web: reject worker tokens from web views
Workers are generally expected to use the API rather than the web UI.
the known exception is `DownloadPathView`, which workers use to
download artifacts.
Add an `allow_worker_tokens` flag to `BaseUIView`, defaulting to
`False`, and enable it for `DownloadPathView`.
also add a test covering the default rejection of worker tokens in web
views
fixes: #1410
commit 544a0f9077a68f2d486e0baeb19451e00e54d279
Merge: 7b5dc77b1 76375b272
Author: Carles Pina i Estany <carles@pina.cat>
Date: Thu Jun 4 05:30:16 2026 +0000
debusine client "collection show {name}@{category}": show the Web URL (MR !3112)
related #1434
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3112
commit 7b5dc77b17c8bbc1a5920d01bb86f6567b9b3090
Merge: fd0a9a1f1 b312cb7ee
Author: Colin Watson <cjwatson@debian.org>
Date: Wed Jun 3 15:06:59 2026 +0000
Convert PermissionContext to a frozen dataclass (MR !3113)
This removes quite a bit of boilerplate.
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3113
commit b312cb7ee3dbdb8d63fe5e22acf92ee99210dcbd
Author: Colin Watson <cjwatson@debian.org>
Date: Wed Jun 3 15:30:03 2026 +0100
Convert PermissionContext to a frozen dataclass
This removes quite a bit of boilerplate.
commit 76375b27219248da0c9e1e3dd9b809436daef2e6
Author: Carles Pina i Estany <carles@pina.cat>
Date: Wed Jun 3 13:24:13 2026 +0100
debusine client "collection show {name}@{category}": show the Web URL
related #1434
commit fd0a9a1f143754db4ad1c838235a65e08c500525
Merge: 9ff238b32 9b950906a
Author: Carles Pina i Estany <carles@pina.cat>
Date: Wed Jun 3 09:47:46 2026 +0000
CollectionRelationSetView.put: return error if destination collection is not found or accessible (MR !3107)
CollectionRelationSetView.put: return error if destination collection does not exist or is not accessible
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3107
commit 9ff238b32c22f3d1846f69b3b30e2c34a7085bb0
Merge: 1b40596d0 da984c2cc
Author: Colin Watson <cjwatson@debian.org>
Date: Wed Jun 3 07:44:40 2026 +0000
Improve archive view tests (MR !3109)
These tests are now a bit more concise and test private workspace handling more systematically, in preparation for #1392.
Merge-Request: https://salsa.debian.org/freexian-team/debusine/-/merge_requests/3109
commit da984c2cc8d1f4efbc5fef242053470460d0723e
Author: Colin Watson <cjwatson@debian.org>
Date: Tue Jun 2 19:01:16 2026 +0100
Run more private workspace tests for archive views
Move these up to a test base class so that we can easily run them for
each of the archive views.
Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.
Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.
![[bug history graph]](https://qa.debian.org/data/bts/graphs/d/debusine.png){kind=link}