#940930 devscripts: add new script for self-service give-backs

Package:
devscripts
Source:
devscripts
Description:
scripts to make the life of a Debian Package maintainer easier
Submitter:
Paul Wise
Date:
2019-09-24 10:18:04 UTC
Severity:
wishlist
#940930#5
Date:
2019-09-22 04:14:28 UTC
From:
To:
Please add a new script for contributors to do self-service give-backs
from the command-line, perhaps something like this:

   wanna-build-sso gb --packages foo bar baz --architectures amd64 i386 --suites unstable experimental

Here is a copy of the announcement and blog post for your reference:

https://lists.debian.org/msgid-search/8b000c23ac2defbfeea7d5a0bc28ec2e3df55baa.camel@debian.org

   Self-service buildd givebacks
   -----------------------------

    Philipp Kern has created[1] an *experimental* service that allows Debian
    members to perform self-service retries of failed package builds (aka
    give-backs). This service aims to reduce the time it takes for give-back
    requests to be processed, which was done manually by the wanna-build
    admins until now. The service is authenticated using the Debian Single
    Signon[2] service. Debian members are still expected to act responsibly
    when looking at build failures; do your due diligence and try reproducing
    the issue on a porterbox first. Access to this service is logged and logs
    will be audited by the admins.

#940930#8
Date:
2019-09-22 12:17:27 UTC
From:
To:
user devscripts@packages.debian.org
usertags 940930 new
tags 940930 moreinfo
thanks

For the log, there is already one tool that uses SSO to authenticate,
namely `nmcli`, used by FD, DAM, etc to query stuff on nm.d.o.
Also, I wrote a thing (incompleted) to be able to schedule builds on
tests.reproducible-builds.org, also using SSO client certificates.

But, the future of SSO is currently uncertain, I prefer if the Debian
SSO would first finish their thing, and assure me that client
certificates will stay, as it's currenly not at all clear.
I don't want to include a tool in devscripts, that may already start
failing in 1 or 2 years.  Till then, I consider this request stalled
with "moreinfo".

#940930#15
Date:
2019-09-23 02:02:06 UTC
From:
To:
I guess that depends entirely on when browsers delete their support for
client certificates. They've been breaking them more and more over time.

#940930#18
Date:
2019-09-23 12:16:22 UTC
From:
To:
Haven't both chromium and firefox already dropped it?  At least chromium
did it more than a year ago, but it's quite easy to issue a new cert by
using openssl manually.

#940930#23
Date:
2019-09-23 23:38:26 UTC
From:
To:
I don't know about Chromium but I can still login to Debian services
using client certificates in Firefox.

#940930#28
Date:
2019-09-24 06:13:18 UTC
From:
To:
*Using* the certs still works everywhere and I suspect it will for a very
long time, given how many institutions use them.
What is being removed is the part producing the certs.

#940930#33
Date:
2019-09-24 10:15:51 UTC
From:
To:
Given how they intentionally make support for them worse over time and
don't improve the terrible UI situation, it seems very likely they are
going to work towards removing them from browsers completely.

I'm tempted to file an issue proposing a removal timeline myself just
so that there is a decision about whether to support or remove them.