[CentOS-devel] cbs feature req: building embargoed content

Thu Mar 5 15:09:22 UTC 2015
Karanbir Singh <mail-lists at karan.org>

On 05/03/15 15:02, Brian Stinson wrote:
> On Mar 05 11:41, Karanbir Singh wrote:
>> On 09/26/2014 02:33 PM, Karanbir Singh wrote:
>>>> Currently koji doesn't have any read access controls, or at least not
>>>> any related to builds. Most folks would probably either use a private
>>>> koji, or just run mock against koji's yum repos.
>>>>
>>>> Are we really only talking about a scratch build type scenario, or do
>>>> folks want a real build that is hidden? Difference being that in the
>>>> former case, you'd end up running a non-scratch rebuild after the
>>>> embargo lifts, while in the latter you'd flip a switch and have the
>>>> build appear.
>>>>
>>>> The latter case is much harder (and also begs for embargo lockdown in
>>>> source control), but neither is trivial to implement.
>>>
>>> What we really need is a way for $person to build 'stuff' without it
>>> going public. If that means the sources cant hit git.centos.org then
>>> thats ok, we just need to make sure folks understand that
>>> no-commit-to-git.c.o till public.
>>>
>>> If that then imples that koji's targets can only be used once stuff is
>>> public, that too might be fine ( as long as the person has had the
>>> change to test builds against the same target in the past ).
>>>
>>> Our exposure in this case would then be limited to the time it takes to
>>> build something, and since the scratch builds will use the same repos -
>>> we can be fairly confident (!) about result; we'd still test it, but we
>>> can go into the testing with a higher level of confidence.
>>
>> reviving an old thread - we're again in a situation where we need SIGs
>> to be able to build security updates and do some testing around content
>> that is under embargo.
>>
>> Depending on how much work this is, do we go down the route of replacing
>> one of the koji builders with a reimzul like instance that runs private
>> builds ? reimzul can generate per-build htaccess entries for basic-auth,
>> that way ( apart from folks who have shell access to the machine ),
>> there is some level of privacy as well.
>>
>> If we do go down that route, we'd need a way for koji to import those
>> builds at a later stage, when they need to be signed and released.
>>
> 
> When we brought this up at the CBS meeting I remember talking about
> having the SIGs do local mockbuilds (perhaps on devcloud?) and then
> commit to their branches after the embargo is lifted. Are there some
> requirements that aren't covered by that workflow? 

there is no way to prep-ahead and test-ahead using this, also it means
folks need to be around and standing by as embargo is lifted. in many
cases, thats not possible.

I'm assuming that you meant commit to their branch, then trigger a
build, and then do the testing.


-- 
Karanbir Singh
+44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
GnuPG Key : http://www.karan.org/publickey.asc