#62 openh264 and non-distributable-rpms
Opened 4 years ago by maxamillion. Modified a year ago
maxamillion/releng openh264  into  master

file modified
+1

@@ -58,6 +58,7 @@ 

      sop_mass_branching

      sop_mass_rebuild

      sop_multi_boot_media

+     sop_non_distributable_packages

      sop_package_blocking

      sop_package_unblocking

      sop_pushing_updates

@@ -0,0 +1,61 @@ 

+ .. SPDX-License-Identifier:    CC-BY-SA-3.0

+ 

+ 

+ ==========================

+ Non-Distributable-Packages

+ ==========================

+ 

+ Description

+ ===========

+ In Fedora, sometimes there are `Non-Distributable-RPMs`_ for various legal

+ reasons related to distribution of code or content. We in the Fedora Project

+ still build these artifacts in our build system and put them through our

+ release process such that they can be signed with Fedora keys allowing users to

+ install them from third parties without being confronted with unknown keys at

+ install time which may lead to confusion or security issues.

+ 

+ 

+ Action

+ ======

+ 

+ Procedures for `Non-Distributable-RPMs`_ vary based the package in question.

+ Each package procedure is listed below.

+ 

+ openh264

+ --------

+ For openh264 there is a script in the `releng`_ pagure git repository that

+ will perform the tasks of signing, importing to koji, exporting a repository,

+ mashing the repository locally, signing the repodata, tar'ing the repo, and

+ sending it to the appropriate people from Cisco.

+ 

+ ::

+ 

+     ./openh264 -r 24 -k fedora-24

+ 

+ .. FIXME - Need something here about the koji rewrite rules

+ 

+ Verification

+ ============

+ 

+ One step needed here is to make sure that we cannot download the package from

+ `koji`_.

+ 

+ openh264

+ --------

+ Make sure that the package is not available for download from `here

+ <http://koji.fedoraproject.org/koji/packageinfo?packageID=21431>`_, but

+ instead redirects to the `Non-Distributable-RPMs` wiki page.

+ 

+ Consider Before Running

+ =======================

+ 

+ Considerations vary per package, each is outlined below

+ 

+ openh264

+ --------

+ Make sure that the package has been updated and is ready to be signed and sent

+ to Cisco. We don't want to effectively turn this into nag-mail.

+ 

+ .. _koji: http://koji.fedoraproject.org/koji/

+ .. _Non-Distributable-RPMs:

+     https://fedoraproject.org/wiki/Non-distributable-rpms

@@ -0,0 +1,92 @@ 

+ #!/usr/bin/env python2

+ # -*- coding: utf-8 -*-

+ #

+ # send-openh264.py - Send the OpenH264 repo to Cisco with signed metadata

+ #

+ # Copyright (C) 2016 Red Hat, Inc.

+ # SPDX-License-Identifier:      GPL-2.0+

+ #

+ # Authors:

+ #     Adam Miller <maxamillion@fedoraproject.org>

+ #

+ # Exit codes:

+ #   0 - Success

+ #   1 - required arg missing

+ 

+ import os

+ import flr.koji

+ import flr.sigul

+ import flr.mash

+ import sys

+ import tarfile

+ import logging

+ import argparse

+ import datetime

+ 

+ # Set log level to logging.INFO

+ flr.log = logging.getLogger(os.path.basename(sys.argv[0]))

+ 

+ PKG_NAME = "openh264"

+ 

+ if __name__ == '__main__':

+ 

+     # get args from command line

+     parser = argparse.ArgumentParser()

+     parser.add_argument(

+         "-k",

+         "--key",

+         help="signing key to use with sigul",

+     )

+     parser.add_argument(

+         "-r",

+         "--release",

+         help="Fedora Release to target for release (Ex: 22, 23, 24, rawhide)",

+     )

+     pargs = parser.parse_args()

+ 

+     if not pargs.key:

+         flr.log.error("No key passed, see -h for help")

+         sys.exit(1)

+     if not pargs.release:

+         flr.log.error("No release arg passed, see -h for help")

+         sys.exit(1)

+ 

+     origin_tag = "f{0}".format(pargs.release)

+     dest_tag = "f{0}-{1}".format(pargs.release, PKG_NAME)

+     latest = flr.koji.latest_build(origin_tag, PKG_NAME)

+ 

+     flr.koji.move_builds(origin_tag, dest_tag, [latest])

+ 

+     pkg_path = "/mnt/koji/packages/%s/%s/%s/*/*.rpm" % flr.rpm.get_nvr(latest)

+ 

+     flr.sigul.sign_rpm(pargs.key, pkg_path, "/tmp/signed/")

+ 

+     flr.koji.import_signatures("/tmp/signed/*")

+ 

+     flr.koji.write_signed_rpms(flr.KEYS[pargs.key], latest)

+ 

+     mash_out_dir = "/tmp/f{0}-{1}-{2}/".format(

+         pargs.release,

+         PKG_NAME,

+         datetime.datedatetime.today().strftime("%Y%m%d")

+     )

+ 

+     flr.mash.mash(

+         "{0}-{1}".format(pargs.release, PKG_NAME),

+         out_dir=mash_out_dir

+     )

+ 

+     repotar = tarfile.open("f{0}-{1}-{2}.tar.bz2".format(
ausil commented 4 years ago

we should use xz compression

I would have but python 2.x doesn't support xz compression in the tarfile module

Or rather, the top commit on https://pagure.io/fork/puiterwijk/releng/commits/openh264-lzma (this one has the correct file extension).

+             pargs.release,

+             PKG_NAME,

+             datetime.datedatetime.today().strftime("%Y%m%d")

+         ),

+         "w:bz2"

+     )

+     repotar.add(mash_out_dir)

+     repotar.close()

+ 

+ 

+     # FIXME - Email the tarball to interested parties here

+ 

+ # vim: set expandtab sw=4 sts=4 ts=4

no initial comment

Note, this depends on flr. Which you can use in the mean time by git cloning somewhere and then creating a symlink into the releng/scripts however, I don't know where to send the email to and would like request review of the script as well also some information about what was done in the koji redirect for the SOP docs.

Thank you,

we should use xz compression

I would have but python 2.x doesn't support xz compression in the tarfile module

I'll contact Kalev Lember to find out the email destination. He's our point of contact for this and was working with Cisco earlier.

@pfrields have you had any followup here?

I think we did end up sending tarballs (or whatever built artifacts) to Cisco. @kalev tells me that @ausil sent these on, so he should have the appropriate email address.

Or rather, the top commit on https://pagure.io/fork/puiterwijk/releng/commits/openh264-lzma (this one has the correct file extension).

Hey look, the oldest releng pr. ;)

@maxamillion if you still have this anywhere, can you rebase it and sign off on it? Since this repo enforces the silly sign-off requirement.