Learn more about these different git repos.
Other Git URLs
in Fedora we have a channel for secure-boot. the x86_64 builders in that channel have installed in them access to keys to sign binaries for secure boot. we have the policy in use https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/koji_hub/templates/hub.conf.j2#n112 if a person without secure-boot permission does a build the build goes to the default channel and is signed with test keys and as a result is not bootable by systems with secure boot enabled.
The result of such a thing happening can be seen https://koji.fedoraproject.org/koji/taskinfo?taskID=21799645 What we really should do is fail the build at the start since we do not want it built in the first place. All it would take is a well intentioned person overlooking why and tagging the build in, resulting in lots of unbootable systems out there. At the time we set this up and I spent some time going over the usecase with @mikem and it was the best we could do with what is in place. but more and more we hit issues with it and reallly need to fail the task earlier on. and provide better messaging as to why the build failed. it will cause less frustration for helpful well intentioned people like @adamwill
How such rule should look like? Does it mean, that you want to forbid specific packages to be built in some channel (like 'kernel' in 'default')? It is hackishly possible now via 'source'. Or do you mean more specific rules based on nvr?
The use case we want to cover here is to ensure that if a user submits a kernel build and does not have permission to do the build in the needed channel, the build is rejected at the start. Rather than what happens today is the build happens in the default channel, the build completes and fails at the tagging stage. resulting in builds in koji that are not usable on users systems.
So, it nowadays can be done by build_from_scm policy e.g. by:
build_from_scm
has_perm signer !! deny "missing signed permission
of course with other tests for channel/package, etc.
Metadata Update from @tkopecek: - Custom field Size adjusted to None
Metadata Update from @tkopecek: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.