The pesign package is kind of delicate and newer versions of it break the one we are running on the kernel builders. Someone recently updated it in rawhide and rebuilt it, but it resulted in rawhide kernel builds all failing to work right.
So, I'd like to add pesign to the secure-boot channel in koji, which means that only those folks with secure-boot group in koji can tag new builds in. This should prevent well meaning provenpackagers from rebuilding it and breaking it.
This is a short term issue only, as once we move the bkernel machines to the new versions they should be in step with rawhide and be fine moving forward. We just want to prevent this until that happens.
This will require applying this patch and running the koji hub playbook to sync up things.
+1s?
kevin -- diff --git a/roles/koji_hub/templates/hub.conf.j2 b/roles/koji_hub/templates/hub.conf.j2 index 4e30401..5e8d993 100644 --- a/roles/koji_hub/templates/hub.conf.j2 +++ b/roles/koji_hub/templates/hub.conf.j2 @@ -61,8 +61,8 @@ Plugins = fedmsg-koji-plugin
tag = - has_perm secure-boot && package kernel shim grub2 fedora-release :: allow - package kernel shim grub2 fedora-release:: deny + has_perm secure-boot && package kernel shim grub2 fedora-release pesign :: allow + package kernel shim grub2 fedora-release pesign :: deny all :: allow
channel = @@ -79,6 +79,7 @@ channel = source */shim* && has_perm secure-boot :: use secure-boot source */grub2* && has_perm secure-boot :: use secure-boot source */fedora-release* && has_perm secure-boot :: use secure-boot + source */pesign* && has_perm secure-boot :: use secure-boot
# we have some arm builders that have ssd's in them, eclipse is 7 hours faster building on them # make sure that we always build eclipse on them.
Looks good +1
On 5 March 2015 at 09:54, Kevin Fenzi kevin@scrye.com wrote:
The pesign package is kind of delicate and newer versions of it break the one we are running on the kernel builders. Someone recently updated it in rawhide and rebuilt it, but it resulted in rawhide kernel builds all failing to work right.
So, I'd like to add pesign to the secure-boot channel in koji, which means that only those folks with secure-boot group in koji can tag new builds in. This should prevent well meaning provenpackagers from rebuilding it and breaking it.
This is a short term issue only, as once we move the bkernel machines to the new versions they should be in step with rawhide and be fine moving forward. We just want to prevent this until that happens.
This will require applying this patch and running the koji hub playbook to sync up things.
+1s?
kevin
diff --git a/roles/koji_hub/templates/hub.conf.j2 b/roles/koji_hub/templates/hub.conf.j2 index 4e30401..5e8d993 100644 --- a/roles/koji_hub/templates/hub.conf.j2 +++ b/roles/koji_hub/templates/hub.conf.j2 @@ -61,8 +61,8 @@ Plugins = fedmsg-koji-plugin
tag =
- has_perm secure-boot && package kernel shim grub2 fedora-release ::
allow
- package kernel shim grub2 fedora-release:: deny
- has_perm secure-boot && package kernel shim grub2 fedora-release
pesign :: allow
- package kernel shim grub2 fedora-release pesign :: deny all :: allow
channel = @@ -79,6 +79,7 @@ channel = source */shim* && has_perm secure-boot :: use secure-boot source */grub2* && has_perm secure-boot :: use secure-boot source */fedora-release* && has_perm secure-boot :: use secure-boot
- source */pesign* && has_perm secure-boot :: use secure-boot
# we have some arm builders that have ssd's in them, eclipse is 7 hours faster building on them # make sure that we always build eclipse on them.
infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
+1 here.
-re
On 03/05/2015 11:54 AM, Kevin Fenzi wrote:
The pesign package is kind of delicate and newer versions of it break the one we are running on the kernel builders. Someone recently updated it in rawhide and rebuilt it, but it resulted in rawhide kernel builds all failing to work right.
So, I'd like to add pesign to the secure-boot channel in koji, which means that only those folks with secure-boot group in koji can tag new builds in. This should prevent well meaning provenpackagers from rebuilding it and breaking it.
This is a short term issue only, as once we move the bkernel machines to the new versions they should be in step with rawhide and be fine moving forward. We just want to prevent this until that happens.
This will require applying this patch and running the koji hub playbook to sync up things.
+1s?
kevin
diff --git a/roles/koji_hub/templates/hub.conf.j2 b/roles/koji_hub/templates/hub.conf.j2 index 4e30401..5e8d993 100644 --- a/roles/koji_hub/templates/hub.conf.j2 +++ b/roles/koji_hub/templates/hub.conf.j2 @@ -61,8 +61,8 @@ Plugins = fedmsg-koji-plugin
tag =
- has_perm secure-boot && package kernel shim grub2 fedora-release :: allow
- package kernel shim grub2 fedora-release:: deny
- has_perm secure-boot && package kernel shim grub2 fedora-release pesign :: allow
- package kernel shim grub2 fedora-release pesign :: deny all :: allow
channel = @@ -79,6 +79,7 @@ channel = source */shim* && has_perm secure-boot :: use secure-boot source */grub2* && has_perm secure-boot :: use secure-boot source */fedora-release* && has_perm secure-boot :: use secure-boot
- source */pesign* && has_perm secure-boot :: use secure-boot
# we have some arm builders that have ssd's in them, eclipse is 7 hours faster building on them # make sure that we always build eclipse on them.
infrastructure mailing list infrastructure@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/infrastructure
On Thursday, March 05, 2015 09:54:22 AM Kevin Fenzi wrote:
The pesign package is kind of delicate and newer versions of it break the one we are running on the kernel builders. Someone recently updated it in rawhide and rebuilt it, but it resulted in rawhide kernel builds all failing to work right.
So, I'd like to add pesign to the secure-boot channel in koji, which means that only those folks with secure-boot group in koji can tag new builds in. This should prevent well meaning provenpackagers from rebuilding it and breaking it.
This is a short term issue only, as once we move the bkernel machines to the new versions they should be in step with rawhide and be fine moving forward. We just want to prevent this until that happens.
This will require applying this patch and running the koji hub playbook to sync up things.
+1s?
kevin
diff --git a/roles/koji_hub/templates/hub.conf.j2 b/roles/koji_hub/templates/hub.conf.j2 index 4e30401..5e8d993 100644 --- a/roles/koji_hub/templates/hub.conf.j2 +++ b/roles/koji_hub/templates/hub.conf.j2 @@ -61,8 +61,8 @@ Plugins = fedmsg-koji-plugin
tag =
- has_perm secure-boot && package kernel shim grub2 fedora-release ::
allow - package kernel shim grub2 fedora-release:: deny
- has_perm secure-boot && package kernel shim grub2 fedora-release pesign
:: allow + package kernel shim grub2 fedora-release pesign :: deny all :: allow
channel = @@ -79,6 +79,7 @@ channel = source */shim* && has_perm secure-boot :: use secure-boot source */grub2* && has_perm secure-boot :: use secure-boot source */fedora-release* && has_perm secure-boot :: use secure-boot
- source */pesign* && has_perm secure-boot :: use secure-boot
# we have some arm builders that have ssd's in them, eclipse is 7 hours faster building on them # make sure that we always build eclipse on them.
+1 we actually need to add fedora-repos also.
Dennis
On Wed, 11 Mar 2015 10:17:21 -0500 Dennis Gilmore dennis@ausil.us wrote:
+1 we actually need to add fedora-repos also.
Cool. I pushed the change with both of them...
kevin
infrastructure@lists.fedoraproject.org