Bug#1125487: tag2upload service needs to be able to retry against ftpmaster API

Sun, 18 Jan 2026 05:02:23 -0800 

Sean Whitton writes ("Bug#1125487: tag2upload service needs to be able to retry 
against ftpmaster API"):
> Ian Jackson [16/Jan 12:43pm GMT] wrote:
> > I thought of a number of options for such an arrangement:
> >
> >  1. dgit-repos-server uses the self-pipe trick turning (a) into an
> >     fd, so that it can be selected on.  What a palaver, unless
> >     there's a covnenient library we could use.
> >
> >  2. dgit rpush notifies dgit-repos-server by sending a signal to its
> >     parent (!), and dgit-repos-server uses sigwait.  Does perl
> >     even have a convenient way to sigwait?
> >
> >  3. dgit-repos-server forks again, for littel child whose job it is to
> >     proxy the commit-to-public-upload dance.  That way if *that* child
> >     doesn't crash, dgit-repos-server knows what the o2m protocol state
> >     is.
> >
> >  4. dgit rpush writes the o2m protocol state to a file.
> >     Before it starts the commit-to-public-upload dance it writes
> >     UNKNOWN file.  After dgit rpush exits, dgit-repos-server can read
> >     this file to see if it can reuse the o2m connection.  (dgit rpush
> >     is very unlikely to crash during the commit-to-public-upload dance
> >     unless it's because the o2m connection is in any case broken.)
> >
> >  5. Instead of modifying dgit rpush, provide a stunt wrapper for gpg.
> >     This is *actually* the commitment point.  But the last thing we
> >     want to do is get more entangled with the gnupg CLI interface.
> 
> (3) seems preferable to me.

I thought of another option:

  6. dgit rpush raises SIGTTIN when it reaches the commitment point.
     d-r-s sends it SIGCONT, and provides it confirmation via a
     non-synchronising channel too (so that some administrator's
     SIGCONT isn't taken as success).  This allows d-r-s to use
     waitpid WSTOPPED to collect either possible next event.

     Something would need to take some extra measures to avoid leaking
     stopped dgit rpush processes, because a stopped process won't die
     from usually-fatal signals.  For example, maybe a child process,
     or timer_create(2), to send a SIGCONT after a timeout.  (Doing
     this in d-r-s itself is bad because what if it crashes due
     to a problem talking to the manager.)

Ian.

-- 
Ian Jackson <[email protected]>   These opinions are my own.  

Pronouns: they/he.  If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.

Reply via email to