Hello,

I would like to hear about the community opinion on this.

The pipeline delivery team currently installs a number of packages in some of their pipeline tasks, this package list (package + package version) is stored in a file and that file gets updated when a new version of a listed package is around in Koji.

The problem is that Koji is being used to check for new package versions but that doesn't mean a compose was run which can lead to a situation where mirrors do not have that "latest" package version that was built on koji (a compose is run weekly).

To illustrate things in a practical way:

A new version (1.34.0) of NetworkManager was built in koji: https://koji.mbox.centos.org/koji/packageinfo?packageID=1433;
The package is not available in centos mirrors (yet): http://mirror.centos.org/centos/8-stream/BaseOS/aarch64/os/Packages/ ;
The package gets updated in this file: https://gitlab.com/redhat/edge/ci-cd/manifests/-/blob/update-package-NetworkManager-1.34.0-0.1.el8/package_list/c8s-image-manifest.txt#L9;
The pipeline job fails because yum can't find that version of the package in the BaseOS repository.

I know that we can download those RPMs directly from Koji but I was wondering if this is where the SIG could/should step in and make the user experience a bit better by providing a single source of truth, be it a repository or some tooling, to retrieve package info and show where they stand.

Any thoughts on this?

Thanks!

Leonardo Rossetti

Red Hat

lrossett@redhat.com