Freeze break request: add pesign to secure-boot channel in koji

Stephen John Smoogen smooge at gmail.com
Thu Mar 5 17:11:06 UTC 2015


Looks good +1

On 5 March 2015 at 09:54, Kevin Fenzi <kevin at scrye.com> wrote:

> The pesign package is kind of delicate and newer versions of it break
> the one we are running on the kernel builders. Someone recently updated
> it in rawhide and rebuilt it, but it resulted in rawhide kernel builds
> all failing to work right.
>
> So, I'd like to add pesign to the secure-boot channel in koji, which
> means that only those folks with secure-boot group in koji can tag new
> builds in. This should prevent well meaning provenpackagers from
> rebuilding it and breaking it.
>
> This is a short term issue only, as once we move the bkernel machines
> to the new versions they should be in step with rawhide and be fine
> moving forward. We just want to prevent this until that happens.
>
> This will require applying this patch and running the koji hub playbook
> to sync up things.
>
> +1s?
>
> kevin
> --
> diff --git a/roles/koji_hub/templates/hub.conf.j2
> b/roles/koji_hub/templates/hub.conf.j2
> index 4e30401..5e8d993 100644
> --- a/roles/koji_hub/templates/hub.conf.j2
> +++ b/roles/koji_hub/templates/hub.conf.j2
> @@ -61,8 +61,8 @@ Plugins = fedmsg-koji-plugin
>
>
>  tag =
> -    has_perm secure-boot && package kernel shim grub2 fedora-release ::
> allow
> -    package kernel shim grub2 fedora-release:: deny
> +    has_perm secure-boot && package kernel shim grub2 fedora-release
> pesign :: allow
> +    package kernel shim grub2 fedora-release pesign :: deny
>      all :: allow
>
>  channel =
> @@ -79,6 +79,7 @@ channel =
>      source */shim* && has_perm secure-boot :: use secure-boot
>      source */grub2* && has_perm secure-boot :: use secure-boot
>      source */fedora-release* && has_perm secure-boot :: use secure-boot
> +    source */pesign* && has_perm secure-boot :: use secure-boot
>
>  # we have some arm builders that have ssd's in them, eclipse is 7 hours
> faster building on them
>  # make sure that we always build eclipse on them.
>
> _______________________________________________
> infrastructure mailing list
> infrastructure at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/infrastructure
>



-- 
Stephen J Smoogen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20150305/5ca3e755/attachment.html>


More information about the infrastructure mailing list