#7688 Add packit FAS to the packager group
Closed: Fixed 5 months ago by pingou. Opened 5 months ago by ttomecek.

Describe what you would like us to do:

Please add packit FAS account to the packager group: this was approved by Fesco: https://pagure.io/fesco/issue/2084

When do you need this to be done by? (YYYY/MM/DD)

This week would be just awesome. Otherwise 2019/04/10

Creating this issue because @pingou suggested me to do it and FPC fwd'd me here:

Happy to satisfy this request, but I'll wait 24h for feedback first :)

Technicality note: Is it possible to allow the FAS account to create pull-requests and upload to lookaside cache but not being in the packager group? Technically, being in packager group also allows other things (like owning or maintaining packages) and FESCo didn't approve that.

If not, that's fine - I don't want to invent overcomplicated technical setups for that.

The requirement is that we need to push to a fork and then create a pull request in an automated way. AFAIK this can be only done via SSH (packit@src.fedo...).

I thought we were getting rid of ssh access soon to go with https only. However that may be a different thing. I would like to get @puiterwijk and @kevin points on this.

@churchyard Thanks Miro, wasn't aware of that. Well, we would need to support such workflow explicitly in packit.

So what auth method will be preferred then? Will it be ssh using kerberos? or https+kerberos?

You should use https. Look at how fedpkg does it... do a 'fedpkg clone -a forks/packit/rpms/whatever' and then look at .git/config for the token config and .fedora/openidbaseclient-sessions.cache for the token itself

So, no, perhaps you don't need this to be a packager. It should be able to fork as a user and push to forks via https/oidc token.

Thank you, will check it out. Feel free to close.

ok, closing. Feel free to reopen or file a new ticket if you get stuck anywhere!


Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

5 months ago

I think that you need to be in the packager group to upload stuff to lookaside cache. Is that correct? Can this permission be applied to individual accounts as well?

You do indeed need to be a packager to upload. If that's needed we will have to add them to packager...

Sadly, we would not be able to propose new upstream release updates without uploading to lookaside cache (well, we could upload the tarball to git, but that doesn't seem like something we want to do).

I guess this could be solved by pagure somehow: it would download the tarball, verify the checksum using the sources file and then upload it to lookaside cache if all is good.

CC @zlopez you'll need this as well

Metadata Update from @ttomecek:
- Issue status updated to: Open (was: Closed)

5 months ago

I'm only proposing simple update of spec file as Pull request to package maintainer. So I'm not sure if I need this.

@zlopez how will you upload the new upstream tarball to a lookaside cache then?

I think having pagure download the source etc is stretching the tool thin from what it is meant to do. You can use a screwdriver as a chisel sometimes.. but using it as a wrench is where you really need to go build a wrench.

@ttomecek The-new-hotness did nothing like this in the past, but if this is now needed I should probably do it by myself. First I need to know where to download the source, which is information that Anitya doesn't have.

@smooge I probably meant to say "pagure workflow", not pagure itself. I agree with you that having a dedicated tool or service doing such an operation would be ideal.

@zlopez looks like we should probably sync to be on the same page

I have added packit to the packager group. We can always revisit if we find a better solution :)

Let us know if you need anything else :)

Metadata Update from @pingou:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

5 months ago

Login to comment on this ticket.