[pkg-go] tag2upload failure with golang-github-containerd-nri

Mon Aug 11 16:30:48 BST 2025

Hi.  Thanks for your continued participation in our beta
programme :-).

I noticed that tag2upload was told about a tag in
  https://salsa.debian.org/go-team/packages/golang-github-containerd-nri.git
named
  debian/0.8.0-1
and failed to fetch it, getting 404.  (Job 395.)

Our logging and reporting arrangements have failed to capture a
relevant email address.  I'm guessing you're the right person to mail
because you're named as the Uploader for this package on tracker.
I'm CC'ing the golang team too.

I think you should be told that this failed.  I'm afraid you won't
receive an automted email, because it failed too early.
n
The repository URL, above, is 404 for me, even when logged into Salsa.
I suspect it may have thw wrong permissions: gitlab reports 404 for
things that aren't accessible.

If you make the repository public and retry the push, it should work.
(Deleting the tag from the repo and repushing it may work, but if that
fails, increment the version number and try again.)

I think I have seen a similar failure before with a golang package.
You may wish to run some kind of ad-hoc script to try to detect other
repos that have inappropriate permissions.

Good luck.

Sean, we should think about this some more.

I think at the very least we ought to try to record some information
about who is likely to have been the instigator of a tag, in the debug
log.  One thing that is extremely bizarre right now is that the logs
contain the whole deserialised tag data *only* if the tag is NotForUs!
If we make a job out of it we discard that data.  This is
straightforward and I have filed t2usm#31 in salsa for that.

Currently we only send emails from the oracle, so we don't send any
email if a job fails before then.  This UX doesn't seem ideal.

Looking at the test data in our repo (which came from a real webhook)
I can see:

We do have `user_id`, `user_name` and `user_username` which I think
are the gitlab account which was used for the ref update.  The email
address is the literal string "[REDACTED]" so is no use.

We have the tag *body* but this does not contain the `tagger` git
header line.  (Likewise we have the message part of the tagged commit,
which also doesn't contain git-header-level metadata, although in this
case it happens to contain a `Signed-off-by`.)  So we have *no*
git-level attribution.  If the repository is inaccessible, as it is
here, we can't obtain the git-level header.

We could have t2usm have a gitlab account, which would enable it to
make an API call to a URL like
   https://salsa.debian.org/api/v4/users/193
which (if we're lucky) will give us a public email.

I'm not sure I relish the idea of teaching t2usm how to log into
gitlab but it maybe the least bad option.  It's probably some oauth
nightmare.

Note that we don't do signature verification on the Manager so this
would allow anyone who can cause tags to appear on salsa to to cause
emails to be received by the user who pushes the tags (which might not
be the same person).  I think that's OK.

So, Sean, LMK what you think.  (I think we should use Salsa tickets
for things which are purely t2usm changes, since we can do "close bug
with MR" there.  If we use the BTS we have no integration with our
source code.)

Ian.

-- 
Ian Jackson <ijackson at chiark.greenend.org.uk>   These opinions are my own.  

Pronouns: they/he.  If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.