On Fri, Aug 10, 2018 at 10:16:13AM +0100, Daniel P. Berrangé wrote:
> On Fri, Aug 10, 2018 at 11:00:46AM +0200, Pierre-Yves Chibon wrote:
> > Good Morning Everyone,
> >
> > Since koji 1.15 released last December, koji has a dedicated field for each
build
> > storing the entire source URL with git hash, regardless of how the build was
> > started.
> > This allows us to know for each build the exact git hash that was used.
> >
> > We've implemented a small service listens to fedmsg messages from koji,
retrieve
> > the git hash from that field, and flag the corresponding commit in dist-git
with
> > the outcome of the build.
> > This way, just while browsing the commits in dist-git you will be able to
> > directly access the corresponding build made in koji (whether it succeeded or
> > failed).
> >
> > Few examples:
> >
https://src.fedoraproject.org/rpms/rust-exa/c/56591280ba0c1e178105bb4dc59...
> >
https://src.fedoraproject.org/rpms/python-pygit2/c/a5d6031a6682e68d154cfc...
>
> IIUC this is just a UI addition, not actually using git tags ?
>
> ie, I'd love to be able todo "git show libvirt-4.5.0-1.fc28" from the
cli
> to view a tag / commit from which the NEVR was made.
>
> I get that there'd be security consequences to allowing some service the
> ability to write to git, but there are a variety of ways to deal with that.
I'm pretty sure we used to do this at one point but one of the issue is that
tags are no immutable, packagers can change them even if we block force push.
I believe this is why we no longer do this :)
A git commit "update" hook can be used to block deletion or modification
of any existing tags.
Regards,
Daniel
--
|: