We are wanting to write to you all about an important date coming up. On the
12th of December 2016 we will be making some important changes that will
require changes on every developers machine. In this case developers means
every one that interacts with koji using authentication
lookaside cache checksum hash. currently packages are stored in lookaside
cache using md5sum we will be switching to sha256sum. The support for this has
been in fedpkg for awhile, we have not switched the default as once we do any
source uploaded with sha256sum will only be able to be verified by a client
that supports sha256sum.
koji authentication will be switching to Kerberos. Koji supports multiple
authentication mechanisms. Fedora infrastructure has set up a freeipa instance
internally that has credential syncing to fas. We are working on ensuring that
gssapi caching is supported so that you can have multiple TGT's and the
ability to work in multiple reams at once. you can get started today by doing
kinit <fas username>(a)FEDORAPROJECT.ORG if you move your ~/.fedora.cert file
out of the way authentication will still work.
Using well known certs for koji.fedoraproject.org arm.koji.fedoraproject.org
ppc.koji.fedoraproject.org s390.koji.fedoraproject.org pkgs.fedoraproject.org
this is the last step needed to have fedoraproject.org
switch to hsts and
default to https:// when connecting to any fedora service. It will also remove
a lot of questions that new people have when connecting to koji via https.
Disable ssl cert authentication in koji. With the switch to keberos and the
change of ssl certificates on the koji and pkgs servers we will be disabling
the ability to login to koji using a ssl certificate completely. This change
will require new koji client configurations for everyone.
Gate rawhide builds. Gating will enable us to sign rawhide builds and switch
the rawhide repo to having gpgcheck enabled.
In order to achieve everything we have to break end user configurations. All
users will need to have new enough versions of fedora-packager, fedpkg, rpkg,
koji. the exact versions needed are not yet known as some enhancements are
still being worked on. We will be aiming to have everything pushed stable
right before the flag day. Some of the changes will not be compatible with the
existing setup. We anticipate keeping everyone informed as we move forward
about any actions that will need to be taken on the developer side. there is
a wiki page at https://fedoraproject.org/wiki/ReleaseEngineering/FlagDay2016
that will be updated as more is known.
Not in scope at this point is using kerberos for ssh or other apps supported
by infrastructure, though it is not ruled out going forward.
If you have any questions please respond here or in #fedora-releng on freenode
Release Engineering and Infrastructure