[CentOS-devel] cbs feature req: building embargoed content

Karsten Wade

kwade at redhat.com
Thu Mar 12 17:48:11 UTC 2015

Hash: SHA1

On 03/12/2015 06:48 AM, Mike McLean wrote:
> Building is just one part of this. We also have to think about
> source control and test infrastructure.
> For read access, a git repo is all or nothing, so I presume we'll
> need a system where we handle embargoed code in a separate,
> locked-down git repo (not just a branch) and merge that in after
> the embargo lifts. Can we make this work with gitblit? Can we make
> such a workflow tolerable in centpkg?
> Similarly, with test infra we'll need mechanisms to test the
> embargoed builds without making them visible.
> The access controls for all of this will have to line up.

Presuming we won't need this test infra up all the time, only when
there is something to test, can we keep a VM &/or container process on
ice, only bringing it up when something needs to be tested?

This is around making do with what we have currently. If we need
dedicated hardware, that's something to think through. E.g., I wonder
if there are any potential sponsors who see value in this process?

> Speaking of access controls. How fine grained do we need this to
> be? One big "access to embargo" group? Per-sig? Per-package?
> Finer?
> As far as the build system goes, I see a few options: 1) separate
> (small) koji instance for embargoed builds. This would only really
> work for a coarse grained access plan 2) a reimzul instance as kb
> suggests 3) modify koji to support read access controls (highly
> nontrivial and invasive, but maybe we could do it anyway)

We could start with a reimzul instance, or even multiple ones, kept on
ice until needed. Then move to a Koji instance done similarly, if
needed. Long term, I'd definitely like to see us improving Koji in
these ways so we can eventually retire reimzul and stand-alone mini-Kojis.

- - Karsten

> On Wed, Mar 11, 2015 at 12:54 PM, Karanbir Singh
> <mail-lists at karan.org> wrote:
>> On 03/11/2015 04:03 PM, George Dunlap wrote:
>>> What does CentOS do about security patches on the core?  Does
>>> it strive to have updates built and tested as soon as the
>>> embargo is lifted?
>> depends on the code- in some cases, where upstreams are going to
>> work with us we do pre-patch and stage content that we can
>> control code for - this tends to mostly be content outside of the
>> distro.
>> For the distro itself, we rely on the source drops from upstream
>> - but we dont really test or need to own too much of the code
>> lifecycle there.
>> -- Karanbir Singh +44-207-0999389 | http://www.karan.org/ |
>> twitter.com/kbsingh GnuPG Key :
>> http://www.karan.org/publickey.asc 
>> _______________________________________________ CentOS-devel
>> mailing list CentOS-devel at centos.org 
>> http://lists.centos.org/mailman/listinfo/centos-devel
> _______________________________________________ CentOS-devel
> mailing list CentOS-devel at centos.org 
> http://lists.centos.org/mailman/listinfo/centos-devel

- -- 
Karsten 'quaid' Wade        .^\          CentOS Doer of Stuff
http://TheOpenSourceWay.org    \  http://community.redhat.com
@quaid (identi.ca/twitter/IRC)  \v'             gpg: AD0E0C41
Version: GnuPG v1


More information about the CentOS-devel mailing list