Created 3 years ago
Maintained by pingou
Extension of pagure for its usage on dist-git
Members 4
Pierre-Yves Chibon committed 11 days ago


This project implements a dynamic Git auth backend for Pagure for Dist-Git, which has a slightly different access model than regular Pagure Git systems.


This plugin reuses the Pagure configuration, and adds several keys to it.

  • ACL_DEBUG: Whether to print some output with information decisions are based on.
  • ACL_PROTECTED_NAMESPACES: List of namespaces where the extra strong protections are in place.
  • BLACKLIST_RES: List of regular expressions with refs that can never be pushed.
  • ACL_BLOCK_UNSPECIFIED: Whether to deny pushes to branches that aren't either RCM, SIG or supported branches.
  • UNSPECIFIED_BLACKLIST_RES: List of regular expressions with refs that can't be used if unspecified.
  • RCM_BRANCHES: List of regular expressions with refs that people in the RCM group can push.
  • RCM_GROUP: The group containing RCM members
  • SUPPORTED_SIGS: List of groups that grant access to sig_prefix-$signame-* refs.
  • SIG_PREFIXES: List of prefixes for SIG refs.

To enable this plugin, you need to either point the PAGURE_PLUGIN environment variable at the pagure_distgit_config file or use the --plugin parameter of the script.

Example configurations


ACL_PROTECTED_NAMESPACES = ['rpms', 'modules', 'container']
RCM_GROUP = 'relenggroup'
RCM_BRANCHES = ['refs/heads/f[0-9]+']
# Pushing to c* stuff is never allowed
BLACKLIST_RES = ['refs/heads/c[0-9]+.*']
# Pushing to (f|epel|el|olpc)(num+) that is not previously approved
# (supported branches) is not allowed.
UNSPECIFIED_BLACKLIST_RES = ['refs/heads/f[0-9]+',


SIG_PREFIXES = ['refs/heads/c7', 'refs/heads/c7-plus', 'refs/heads/c7-alt', ]
SUPPORTED_SIGS = ['sig-atomic', 'sig-cloud', 'sig-core', 'sig-storage', ]

# Branches to which *nobody* will be able to push (basically Fedora)
BLACKLIST_RES = ['refs/heads/el[0-9]+.*', 'refs/heads/olpc[0-9]+.*', ]

### Specific ACO group that will have access to all protected branches with RWC rights
RCM_GROUP = 'centos-rcm'
RCM_BRANCHES = ['refs/heads/c[0-9]+.*', 'refs/tags/.*', ]


The tests here require the test suite of pagure itself to work. You have to modify your PYTHONPATH to find them. Run with:

$ PYTHONPATH=.:/path/to/pagure/checkout pytest pagure_distgit_tests/

You can use our requirements-testing.txt to install testing dependencies with pip:

$ pip install -r /path/to/pagure/checkout/requirements.txt
$ pip install -r /path/to/pagure/checkout/requirements-testing.txt
$ pip install -r requirements-testing.txt

Setting up testing env

The dist-git needs pagure to run. This guide will use the existing pagure vagrant setup with few modifications. First you need to clone pagure:

$ git clone
$ cd pagure

Next step is to copy Vagrantfile.example as Vagrantfile to git root folder:

$ cp dev/Vagrantfile.example Vagrantfile

Add mount point for the dist-git repository. You need to add the following to Vagrantfile:

config.vm.synced_folder "/path/to/pagure-dist-git", "/srv/pagure-dist-git", type: "sshfs"

Create the vagrant machine and ssh into it:

$ vagrant up && vagrant ssh

In the vagrant we need to do a few more steps. First add dist-git specific tables and some test data:

$ cd /srv/pagure-dist-git/
$ sudo -u git python -c /etc/pagure/pagure.cfg
$ cd /srv/pagure
$ sudo -u git PAGURE_CONFIG="/etc/pagure/pagure.cfg" python -a

Add theme to /etc/pagure/pagure.cfg:

THEME = 'srcfpo'

Update /etc/systemd/system/pagure.service with env variables:


Stop the running pagure instance:

$ pstop

Reload systemd daemons:

$ sudo systemctl daemon-reload

Start the pagure instance again:

$ pstart

Now you should have running instance of pagure with dist-git on http://localhost:5000. Nice hacking! :-)