On Thursday, March 05, 2015 09:54:22 AM Kevin Fenzi wrote:
The pesign package is kind of delicate and newer versions of it
the one we are running on the kernel builders. Someone recently updated
it in rawhide and rebuilt it, but it resulted in rawhide kernel builds
all failing to work right.
So, I'd like to add pesign to the secure-boot channel in koji, which
means that only those folks with secure-boot group in koji can tag new
builds in. This should prevent well meaning provenpackagers from
rebuilding it and breaking it.
This is a short term issue only, as once we move the bkernel machines
to the new versions they should be in step with rawhide and be fine
moving forward. We just want to prevent this until that happens.
This will require applying this patch and running the koji hub playbook
to sync up things.
diff --git a/roles/koji_hub/templates/hub.conf.j2
b/roles/koji_hub/templates/hub.conf.j2 index 4e30401..5e8d993 100644
@@ -61,8 +61,8 @@ Plugins = fedmsg-koji-plugin
- has_perm secure-boot && package kernel shim grub2 fedora-release ::
allow - package kernel shim grub2 fedora-release:: deny
+ has_perm secure-boot && package kernel shim grub2 fedora-release pesign
:: allow + package kernel shim grub2 fedora-release pesign :: deny
all :: allow
@@ -79,6 +79,7 @@ channel =
source */shim* && has_perm secure-boot :: use secure-boot
source */grub2* && has_perm secure-boot :: use secure-boot
source */fedora-release* && has_perm secure-boot :: use secure-boot
+ source */pesign* && has_perm secure-boot :: use secure-boot
# we have some arm builders that have ssd's in them, eclipse is 7 hours
faster building on them # make sure that we always build eclipse on them.
+1 we actually need to add fedora-repos also.