On Thursday, March 05, 2015 09:54:22 AM Kevin Fenzi wrote: > The pesign package is kind of delicate and newer versions of it break > the one we are running on the kernel builders. Someone recently updated > it in rawhide and rebuilt it, but it resulted in rawhide kernel builds > all failing to work right. > > So, I'd like to add pesign to the secure-boot channel in koji, which > means that only those folks with secure-boot group in koji can tag new > builds in. This should prevent well meaning provenpackagers from > rebuilding it and breaking it. > > This is a short term issue only, as once we move the bkernel machines > to the new versions they should be in step with rawhide and be fine > moving forward. We just want to prevent this until that happens. > > This will require applying this patch and running the koji hub playbook > to sync up things. > > +1s? > > kevin > -- > diff --git a/roles/koji_hub/templates/hub.conf.j2 > b/roles/koji_hub/templates/hub.conf.j2 index 4e30401..5e8d993 100644 > --- a/roles/koji_hub/templates/hub.conf.j2 > +++ b/roles/koji_hub/templates/hub.conf.j2 > @@ -61,8 +61,8 @@ Plugins = fedmsg-koji-plugin > > > tag = > - has_perm secure-boot && package kernel shim grub2 fedora-release :: > allow - package kernel shim grub2 fedora-release:: deny > + has_perm secure-boot && package kernel shim grub2 fedora-release pesign > :: allow + package kernel shim grub2 fedora-release pesign :: deny > all :: allow > > channel = > @@ -79,6 +79,7 @@ channel = > source */shim* && has_perm secure-boot :: use secure-boot > source */grub2* && has_perm secure-boot :: use secure-boot > source */fedora-release* && has_perm secure-boot :: use secure-boot > + source */pesign* && has_perm secure-boot :: use secure-boot > > # we have some arm builders that have ssd's in them, eclipse is 7 hours > faster building on them # make sure that we always build eclipse on them. +1 we actually need to add fedora-repos also. Dennis
Attachment:
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
