#329 Add support in fedpkg for interacting with side-tags in koji
Closed: Fixed 2 years ago by lsedlar. Opened 2 years ago by pingou.

Koji is gaining support for packager-created side-tags via the sidetag plugin: https://pagure.io/sidetag-koji-plugin (cf the pull-requests under review).

We would like to see fedpkg gain support for creating, listing and deleting side-tags via its command line.

Finally, we will want fedpkg to support a call to merge these side-tags. This call will be made to bodhi which will be in charge of converting this side-tag into an update.
The update will be then tested and if tests pass, bodhi will merge the side tag (ie: moving the builds to the regular tag and deleting the side-tag).

Proposed fix in rpkg: https://pagure.io/rpkg/pull-request/456
The change is not specific to Fedora, it will work with any Koji instance that has the plugin installed and configured.

As far as I can tell so far, the tag name does not have any indication of it's purpose, nor is there any way to find out which side tag was created by who. That can potentially lead to situations where people create a tag, forget its unmemorable name and don't delete it. Another risk is that people can delete tags of other people (quite possibly by accident rather than on purpose).

@tkopecek We originally thought/discussed prefixing the side tag name with the name of the user who created it, was this dropped?
It was intended to prevent, at least some of, the issue @lsedlar speaks about above :)

Including the user name would help. I tried making that change in https://pagure.io/sidetag-koji-plugin/pull-request/5. I'm also wondering if it would be practical to have an option to include arbitrary string description in there as well to help with cases where single user has multiple side tags at the same time.

@pingou It was dropped due to security reasons. Problem with username in tag name is, that glob policies can trigger in unexpected cases. Quoting @mizdebsk "For example hub policy used by Fedora infrastructure allows building from SRPM for tags matching glob infra, so if a user name contains string "infra", sidetags created for that user would allow building from SRPM."

About forgetting name: I expect users to use list-sidetags --mine to find ou what they have in game. Using policy limiting number of sidetags per user should push them to revisit what they are using and why.

To deleting other's tags - user can only delete his own sidetags. He has no permission to affect anyone else's.

@tkopecek, Good to know that tags have owners. How can I query tags that were created by a particular user? The listTags call does not seem to be able to do it, getTag does not show the owner either.

Use listSideTags(basetag=None, user=None, queryOpts=None) for this - it is not possible with classic tags, but it is introduced in plugin. This probably led me to source of misunderstanding.

Admin can of course use classic calls, but non-admin users needs to use only calls from plugin createSideTag, listSideTags and removeSideTag.

Oh, then that's perfectly clear. Where are those calls implemented? I don't see them in https://pagure.io/sidetag-koji-plugin.

EDIT: Nevermind, there's a pull request that adds it.

All those PRs were still not merged. Testing build is coming from my fork (branch https://pagure.io/fork/tkopecek/sidetag-koji-plugin/tree/demo) where are all merged together. Whole API is covered by this PR https://pagure.io/sidetag-koji-plugin/pull-request/1

The patch is merged and will be released in next python3-rpkg.

Metadata Update from @onosek:
- Issue set to the milestone: 1.37

2 years ago

Login to comment on this ticket.

Related Pull Requests
  • #456 Merged 2 years ago