#333 [audit] Koji builder does tagBuild with force=True
Closed 5 years ago Opened 5 years ago by puiterwijk.

I do not see the reason why, but in builder.py, line 535, koji_session.tagBuild is called with force=True.
This is a very bad idea, and should not be used in general.
What specific case are you trying to catch here? This case should be caught explicitly then.

I don't know. Looking at the git history, it seems it has always been this way since @lkocman wrote it in a0e33c1.

From reading through the kojihub source, it looks like the only useful thing this does is to automatically add the package to the pkglist before tagging the build into the tag.

There are also some sections where it skips over acls checks for the user on the tag in question, but since we're authenticating as admin - that's actually what we want.

I believe that the only reason why I do this, is that some tags at least in brew, has specific permissions that we need to match.

e.g. when you set permission x-y-z for given $tag and you're admin
brew tag-build $tag $build will simply fail even when admin > x-y-z, this only succeeds if you add --force.

fm-orchestrator was originally intended to run with admin privileges and I know that this problem will go away. If you on the other side want to restrict privileges, then its good idea to skip --force.


Right, so I get why you're adding force=True now.
I would however prefer that you fix it correctly by getting the modularity user assigned the needed koji permissions instead.
I know that at least in Fedora, this will be an option.
So probably make the forcing and the tag permissions configurable?

Here's the path to proceed (based on convo with @puiterwijk):

  • We remove force=True (easy).
  • The problem then, is that we need to have our packages added to the package list.
  • Today, that is done by releng (there is a sync script which syncs them from pkgdb here).
  • We should create a new tag, that never gets any builds, which maintains the packagelist for all modules.
  • All new module tags should inherit from it (to get the global package list).
  • We need to modify the sync script to populate the contents of that tag.

To rephrase the above, there is one code change here:

  • Remove force=True.
  • Change the koji builder.py code to make all new tags inherit from a master koji tag, the name of which should be defined in the config file.

And then there is a releng task here:

  • Work with fedora-releng to create that new tag.
  • Populate the package list of that tag with all fedora packages.
  • Adjust the bodhi/pkgdb sync script to keep that package list up to date as new packages are added to the distro.

I filed a request with Fedora releng for the new tag here.

OK - the tag is created in both prod and stage, and the script has been modified to populate it with all the package names.

For the code portion, see @mprahl's work in #362.

Metadata Update from @ralph:
- Issue status updated to: Closed (was: Open)

5 years ago

Login to comment on this ticket.