Freeze break request: add pesign to secure-boot channel in koji

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The pesign package is kind of delicate and newer versions of it break
the one we are running on the kernel builders. Someone recently updated
it in rawhide and rebuilt it, but it resulted in rawhide kernel builds
all failing to work right. 

So, I'd like to add pesign to the secure-boot channel in koji, which
means that only those folks with secure-boot group in koji can tag new
builds in. This should prevent well meaning provenpackagers from
rebuilding it and breaking it. 

This is a short term issue only, as once we move the bkernel machines
to the new versions they should be in step with rawhide and be fine
moving forward. We just want to prevent this until that happens. 

This will require applying this patch and running the koji hub playbook
to sync up things. 

+1s?

kevin
--
diff --git a/roles/koji_hub/templates/hub.conf.j2 b/roles/koji_hub/templates/hub.conf.j2
index 4e30401..5e8d993 100644
--- a/roles/koji_hub/templates/hub.conf.j2
+++ b/roles/koji_hub/templates/hub.conf.j2
@@ -61,8 +61,8 @@ Plugins = fedmsg-koji-plugin
 
 
 tag = 
-    has_perm secure-boot && package kernel shim grub2 fedora-release :: allow
-    package kernel shim grub2 fedora-release:: deny
+    has_perm secure-boot && package kernel shim grub2 fedora-release pesign :: allow
+    package kernel shim grub2 fedora-release pesign :: deny
     all :: allow
 
 channel = 
@@ -79,6 +79,7 @@ channel =
     source */shim* && has_perm secure-boot :: use secure-boot
     source */grub2* && has_perm secure-boot :: use secure-boot
     source */fedora-release* && has_perm secure-boot :: use secure-boot
+    source */pesign* && has_perm secure-boot :: use secure-boot
 
 # we have some arm builders that have ssd's in them, eclipse is 7 hours faster building on them 
 # make sure that we always build eclipse on them.

Attachment: pgpESS1olgbLK.pgp
Description: OpenPGP digital signature

_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/infrastructure

[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux