#5636 pkgs anonymous link over https does not work in Koji
Closed: Fixed 3 years ago Opened 3 years ago by cqi.

I fixed bug 1188634 yesterday, the anonymous link over HTTPS works well. However, when I build packages, it looks it does not work in Koji.

fedpkg -d -v build                                                             
Creating repo object from /home/cqi/packages/fedora/rpkg
Initiating a koji session to https://koji.fedoraproject.org/kojihub
Building rpkg-1.47-6.fc25 for f25-candidate
Building https://src.fedoraproject.org/git/rpms/rpkg?#d139c2a012e5ec7314785d3ad686bddd498eee63 for f25-candidate with options {} and a priority of 
None
koji build f25-candidate https://src.fedoraproject.org/git/rpms/rpkg?#d139c2a012e5ec7314785d3ad686bddd498eee63  <--
Created task: 16904151
Task info: https://koji.fedoraproject.org/koji/taskinfo?taskID=16904151
Watching tasks (this may be safely interrupted)...
16904151 build (f25-candidate, /git/rpms/rpkg:d139c2a012e5ec7314785d3ad686bddd498eee63): open (buildvm-05.phx2.fedoraproject.org)
16904151 build (f25-candidate, /git/rpms/rpkg:d139c2a012e5ec7314785d3ad686bddd498eee63): open (buildvm-05.phx2.fedoraproject.org) -> FAILED: Action
NotAllowed: policy violation (build_from_srpm)
  0 free  0 open  0 done  1 failed

When I changed the link back to original link using git://, git://pkgs.fedoraproject.org/, it works as expected.

This also affects scratch build.


Note that this has never worked. In the past if someone did a anon checkout, they would have to re-checkout with auth to push changes or do builds.

We may want to allow builds now since we have https, but thats a decision for releng.

IMHO it would be a good idea to only allow https:// instead of git:// eventually to make sure that the connection between koji and src.fpo is always integrity protected.

you can not specify https:// to koji I believe it would need to be git+https:// which should just work as the builders can talk to pkgs.fp.o over port 443

Thanks for the information. So, it is normal to not allow to build from an anon-checkout. I get the answer. This issue could be closed from my perspective.

@kevin changed the status to Closed

3 years ago

I reopen this issue because of a recent release of fedpkg-1.27. The anonymous link provided in pkgs.fp.o does not work in Koji for build, scratch-build, and scratch-build with --srpm from an authenticated clone as well.

It does not work too by using prefix git+https.

Related bug 1425913

Metadata Update from @cqi:
- Issue status updated to: Open (was: Closed)

3 years ago

This is set on all the koji builders:

allowed_scms=pkgs.fedoraproject.org:/*:false:fedpkg,sources pagure.io:/fedora-kickstarts.git:false git.fedorahosted.org:/git/spin-kickstarts.git:false

I guess you are asking us to change this to allow src.fedoraproject.org?

Any change here would have to be acked by releng...

@ausil thoughts?

This is set on all the koji builders:
allowed_scms=pkgs.fedoraproject.org:/*:false:fedpkg,sources pagure.io:/fedora-kickstarts.git:false git.fedorahosted.org:/git/spin-kickstarts.git:false
I guess you are asking us to change this to allow src.fedoraproject.org?

I actually have no idea whether this is a problem that should be fixed in Koji. :)

Another thing is by using git://pkgs.fedoraproject.org/%(module)s, user is able to build package in Koji from both authenticated clone and anonymous clone, at least scratch build. I hope the possible change to Koji would not break this behavior.

@kevin its probably fine, we should remove git.fedorahosted.org:/git/spin-kickstarts.git:false we would need to make sure the builders can talk to src.fp.o and that https:// works for git also

The format of allowed_scms doesn't seem to be documented anywhere. :light_rail:

So what do we set it to to allow only https+git?

It's not possible to limit in the config the types allowed. Only the locations to be pulled from.

Metadata Update from @kevin:
- Issue tagged with: unfreeze

3 years ago

This was actually pushed on 2017-03-02 in ansible commit e6ace632877157c40731ba40e0b5bf1ace031d31

:ok_hand:

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata