Freeze break request: add pesign to secure-boot channel in koji
Stephen John Smoogen
smooge at gmail.com
Thu Mar 5 17:11:06 UTC 2015
Looks good +1
On 5 March 2015 at 09:54, Kevin Fenzi <kevin at scrye.com> wrote:
> The pesign package is kind of delicate and newer versions of it break
> the one we are running on the kernel builders. Someone recently updated
> it in rawhide and rebuilt it, but it resulted in rawhide kernel builds
> all failing to work right.
>
> So, I'd like to add pesign to the secure-boot channel in koji, which
> means that only those folks with secure-boot group in koji can tag new
> builds in. This should prevent well meaning provenpackagers from
> rebuilding it and breaking it.
>
> This is a short term issue only, as once we move the bkernel machines
> to the new versions they should be in step with rawhide and be fine
> moving forward. We just want to prevent this until that happens.
>
> This will require applying this patch and running the koji hub playbook
> to sync up things.
>
> +1s?
>
> kevin
> --
> diff --git a/roles/koji_hub/templates/hub.conf.j2
> b/roles/koji_hub/templates/hub.conf.j2
> index 4e30401..5e8d993 100644
> --- a/roles/koji_hub/templates/hub.conf.j2
> +++ b/roles/koji_hub/templates/hub.conf.j2
> @@ -61,8 +61,8 @@ Plugins = fedmsg-koji-plugin
>
>
> tag =
> - has_perm secure-boot && package kernel shim grub2 fedora-release ::
> allow
> - package kernel shim grub2 fedora-release:: deny
> + has_perm secure-boot && package kernel shim grub2 fedora-release
> pesign :: allow
> + package kernel shim grub2 fedora-release pesign :: deny
> all :: allow
>
> channel =
> @@ -79,6 +79,7 @@ channel =
> source */shim* && has_perm secure-boot :: use secure-boot
> source */grub2* && has_perm secure-boot :: use secure-boot
> source */fedora-release* && has_perm secure-boot :: use secure-boot
> + source */pesign* && has_perm secure-boot :: use secure-boot
>
> # we have some arm builders that have ssd's in them, eclipse is 7 hours
> faster building on them
> # make sure that we always build eclipse on them.
>
> _______________________________________________
> infrastructure mailing list
> infrastructure at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/infrastructure
>
--
Stephen J Smoogen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20150305/5ca3e755/attachment.html>
More information about the infrastructure
mailing list