I do not see the reason why, but in builder.py, line 535, koji_session.tagBuild is called with force=True.
This is a very bad idea, and should not be used in general.
What specific case are you trying to catch here? This case should be caught explicitly then.
I don't know. Looking at the git history, it seems it has always been this way since @lkocman wrote it in a0e33c1.
From reading through the kojihub source, it looks like the only useful thing this does is to automatically add the package to the pkglist before tagging the build into the tag.
There are also some sections where it skips over acls checks for the user on the tag in question, but since we're authenticating as admin - that's actually what we want.
I believe that the only reason why I do this, is that some tags at least in brew, has specific permissions that we need to match.
e.g. when you set permission x-y-z for given $tag and you're admin
brew tag-build $tag $build will simply fail even when admin > x-y-z, this only succeeds if you add --force.
fm-orchestrator was originally intended to run with admin privileges and I know that this problem will go away. If you on the other side want to restrict privileges, then its good idea to skip --force.
Right, so I get why you're adding force=True now.
I would however prefer that you fix it correctly by getting the modularity user assigned the needed koji permissions instead.
I know that at least in Fedora, this will be an option.
So probably make the forcing and the tag permissions configurable?
Here's the path to proceed (based on convo with @puiterwijk):
To rephrase the above, there is one code change here:
And then there is a releng task here:
I filed a request with Fedora releng for the new tag here.
OK - the tag is created in both prod and stage, and the script has been modified to populate it with all the package names.
For the code portion, see @mprahl's work in #362.
#362 is merged.
Metadata Update from @ralph:
- Issue status updated to: Closed (was: Open)
to comment on this ticket.