Upload package failure due to wrong group permission rights

We have sometimes issue on package upload.

This happens when:

a new user uploads a package in an existing arborescence tree (s)he does not own
a user renames a package and creates a new arborescence tree through upload. Next time, if another user uploads a new version for that package, (s)he is hit by the same problem.

Example

anlambert recently renamed the package swh-web-ui to swh-web. Thus, ardumont can't upload a new version.

tony@.../repo/swh/swh-environment $ ./bin/make-package -u swh-web
 signfile dsc /home/tony/work/inria/repo/swh/swh-environment/packages/swh-web_0.0.87-1.dsc 0D10C3B8

 fixup_buildinfo /home/tony/work/inria/repo/swh/swh-environment/packages/swh-web_0.0.87-1.dsc /home/tony/work/inria/repo/swh/swh-environment/packages/swh-web_0.0.87-1_amd64.buildinfo
 signfile buildinfo /home/tony/work/inria/repo/swh/swh-environment/packages/swh-web_0.0.87-1_amd64.buildinfo 0D10C3B8

 fixup_changes dsc /home/tony/work/inria/repo/swh/swh-environment/packages/swh-web_0.0.87-1.dsc /home/tony/work/inria/repo/swh/swh-environment/packages/swh-web_0.0.87-1_amd64.changes
 fixup_changes buildinfo /home/tony/work/inria/repo/swh/swh-environment/packages/swh-web_0.0.87-1_amd64.buildinfo /home/tony/work/inria/repo/swh/swh-environment/packages/swh-web_0.0.87-1_amd64.changes
 signfile changes /home/tony/work/inria/repo/swh/swh-environment/packages/swh-web_0.0.87-1_amd64.changes 0D10C3B8

Successfully signed dsc, buildinfo, changes files
swh-web_0.0.87-1.dsc                                                                 100% 2004    72.8KB/s   00:00
swh-web_0.0.87.orig.tar.gz                                                           100%  195KB   1.2MB/s   00:00
swh-web_0.0.87-1.debian.tar.xz                                                       100% 1480    55.9KB/s   00:00
python3-swh.web_0.0.87-1_all.deb                                                     100%  180KB   1.9MB/s   00:00
swh-web_0.0.87-1_amd64.buildinfo                                                     100% 8137   286.8KB/s   00:00
swh-web_0.0.87-1_amd64.changes                                                       100% 2671    96.6KB/s   00:00
Error 13 creating hardlink of '/srv/softwareheritage/repository/tmp/swh-web_0.0.87-1.dsc' as '/srv/softwareheritage/repository/pool/main/s/swh-web/swh-web_0.0.87-1.dsc': Permission denied
There have been errors!

Checking the /srv/softwareheritage/repository/pool/main/s directory, indeed, ardumont cannot write to that directory.

ardumont@pergamon:/srv/softwareheritage/repository% ls -l /srv/softwareheritage/repository/pool/main/s
...
drwxrwsr-x 2 olasd     swhdev 4096 Jun 30 13:02 swh-storage
drwxr-sr-x 2 anlambert swhdev 4096 Sep  8 12:11 swh-web
...

As a workaround, fixing the rights to that folder for the group makes it ok.

ardumont@pergamon:/srv/softwareheritage/repository% sudo chmod -v g+w /srv/softwareheritage/repository/pool/main/s/swh-web
ardumont@pergamon:/srv/softwareheritage/repository% sudo ls -l /srv/softwareheritage/repository/pool/main/s/
...
drwxrwsr-x 2 olasd     swhdev 4096 Jun 30 13:02 swh-storage
drwxrwsr-x 2 anlambert swhdev 4096 Sep  8 12:11 swh-web
...

Indeed:

 tony@.../repo/swh/swh-environment $ ./bin/make-package -u swh-web
The .changes file is already signed.
Would you like to use the current signature? [Yn]y
Leaving current signature unchanged.
swh-web_0.0.87-1.dsc                                                                 100% 2004    73.2KB/s   00:00
swh-web_0.0.87.orig.tar.gz                                                           100%  195KB   1.3MB/s   00:00
swh-web_0.0.87-1.debian.tar.xz                                                       100% 1480    51.4KB/s   00:00
python3-swh.web_0.0.87-1_all.deb                                                     100%  180KB   1.7MB/s   00:00
swh-web_0.0.87-1_amd64.buildinfo                                                     100% 8137   355.0KB/s   00:00
swh-web_0.0.87-1_amd64.changes                                                       100% 2671   124.3KB/s   00:00
Skipping swh-web_0.0.87-1_amd64.changes because all packages are skipped!
 signfile dsc /home/tony/work/inria/repo/swh/swh-environment/packages/swh-web_0.0.87-1~bpo9~swh+1.dsc 0D10C3B8

 fixup_buildinfo /home/tony/work/inria/repo/swh/swh-environment/packages/swh-web_0.0.87-1~bpo9~swh+1.dsc /home/tony/work/inria/repo/swh/swh-environment/packages/swh-web_0.0.87-1~bpo9~swh+1_amd64.buildinfo
 signfile buildinfo /home/tony/work/inria/repo/swh/swh-environment/packages/swh-web_0.0.87-1~bpo9~swh+1_amd64.buildinfo 0D10C3B8

 fixup_changes dsc /home/tony/work/inria/repo/swh/swh-environment/packages/swh-web_0.0.87-1~bpo9~swh+1.dsc /home/tony/work/inria/repo/swh/swh-environment/packages/swh-web_0.0.87-1~bpo9~swh+1_amd64.changes
 fixup_changes buildinfo /home/tony/work/inria/repo/swh/swh-environment/packages/swh-web_0.0.87-1~bpo9~swh+1_amd64.buildinfo /home/tony/work/inria/repo/swh/swh-environment/packages/swh-web_0.0.87-1~bpo9~swh+1_amd64.changes
 signfile changes /home/tony/work/inria/repo/swh/swh-environment/packages/swh-web_0.0.87-1~bpo9~swh+1_amd64.changes 0D10C3B8

Successfully signed dsc, buildinfo, changes files
swh-web_0.0.87-1~bpo9~swh+1.dsc                                                      100% 2048    80.2KB/s   00:00
swh-web_0.0.87.orig.tar.gz                                                           100%  195KB   1.5MB/s   00:00
swh-web_0.0.87-1~bpo9~swh+1.debian.tar.xz                                            100% 1520    65.4KB/s   00:00
python3-swh.web_0.0.87-1~bpo9~swh+1_all.deb                                          100%  180KB   2.2MB/s   00:00
swh-web_0.0.87-1~bpo9~swh+1_amd64.buildinfo                                          100% 8230   315.5KB/s   00:00
swh-web_0.0.87-1~bpo9~swh+1_amd64.changes                                            100% 2863   109.0KB/s   00:00
Exporting indices...
Deleting files no longer referenced...
deleting and forgetting pool/main/s/swh-web/python3-swh.web_0.0.86-1~bpo9~swh+1_all.deb
deleting and forgetting pool/main/s/swh-web/swh-web_0.0.86-1~bpo9~swh+1.debian.tar.xz
deleting and forgetting pool/main/s/swh-web/swh-web_0.0.86-1~bpo9~swh+1.dsc
...
Counting objects: 4, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (4/4), 1.92 KiB | 0 bytes/s, done.
Total 4 (delta 2), reused 0 (delta 0)
To ssh://forge.softwareheritage.org/source/swh-web.git
 * [new tag]         v0.0.87 -> v0.0.87

It would be nice to fix it definitely to not have to deal with such shortcomings once in a while when we are not the main packager.

Solution

short term

Connect to the machine and fix right away the group permission. That's what's being done regularly.

middle term

As we use mainly pergamon for packaging purposes, we could configure umask to 002 for all our uploader logins.

Note:

I don't know if it's the proper reasoning nor measure the impacts here. Feel free to enlighten me.
I'm only seeing pergamon as our debian package repository but i may be wrong. This intranet page shows pergamon usage as 'sysadm playground', so it seems to go my way.

long term

As we discussed some time ago with @olasd, this may be a hint as to use a specific user for the packaging upload. This may help in centralizing the (new) uploaders':

gpg public keys to the same login (against each user needs to setup its gpg public key)
ssh public key to the same login (~/.ssh/authorized_keys)

Migrated from T758 (view on Phabricator)

Edited Jan 08, 2023 by Phabricator Migration user

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information