We have experienced issues in the past where the openh264 builds got incorrectly tagged into e.g. f42-updates-candidate tag. This could potentially cause them to get into the main tag (fortunately we caught it in time) and eventually make their way into the composes. This could mean legal trouble for the Fedora Project so we need to take measures that prevent such scenarios from happening.
openh264
f42-updates-candidate
There are two things we could try: 1. Adjust the Koji tag policy to prevent the builds getting tagged incorrectly in the first place. 2. Filter them out at the Pungi level so they can never make it into the composes themselves, as a second line of defence.
Metadata Update from @patrikp: - Issue assigned to patrikp
The Pungi part should be done now. Currently waiting for the freeze to be over before merging some of these.
Rawhide (main branch) Pungi : https://pagure.io/pungi-fedora/pull-request/1472
main
F42 Pungi: https://pagure.io/pungi-fedora/pull-request/1471
F42
Ansible changes for Pungi: https://pagure.io/fedora-infra/ansible/pull-request/2562
For the Koji part the tag policy section can be found in this file [1].
We want to add a block that allows the builds to be tagged into the openh264 tag or into a side tag (only by the side tag owner) and block any other tagging attempts.
Something like:
[policy] tag = package openh264 :: { tag *-openh264 :: allow is_sidetag && is_sidetag_owner :: allow all :: deny Tagging OpenH264 to non-openh264 tags is forbidden. }
[1] https://pagure.io/fedora-infra/ansible/blob/main/f/roles/koji_hub/templates/hub.conf.j2
That policy looks good to me. :) Care to submit a PR for that one as well?
Log in to comment on this ticket.