[CentOS-devel] [CBS] koji client issue with CBS with python >= 2.7.9

Tue Sep 22 11:46:37 UTC 2015
Fabian Arrotin <arrfab at centos.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 22/09/15 00:42, Haïkel wrote:
> Hi,
> 
> I finally found a workaround to fix CBS issues when using python
> >= 2.7.9 (like Fedora 22 and above) 
> https://bugzilla.redhat.com/show_bug.cgi?id=1231616 Though it's
> dirty, but it's no different from python 2.7.8 and older behavior.
> 
> Starting python 2.7.9, python ssl standard module enable
> certificate verification by default, hence causing koji client to
> fail when interacting with CBS. What I do not get is why withe the
> same koki client I have no issues with Fedora Koji instance, and
> why it fails with CBS. People using F21 and older or CentOS, won't
> experience that issue.
> 
> I suspect either a configuration or difference of server versions 
> difference, so I'd like CBS admins to investigate that issue.
> 
> Regards, H.

I'll investigate the issue, but as I'm myself not using Fedora , that
will be more difficult. I'll setup a VM for that test.
Also, if python does cert validation (which I was hoping it was
already doing), I'd like to know why it complains about it, if you
have to point koji (through ~/.koji/config) to both ca and serverca.

Worth noting that we'll migrate "soon" (more details through the
cbs/infra weekly meeting) to FAS, so every CBS packager/builder will
have to modify his config.
We're also testing to offer different certs for koji communication :
the kojihub/kojiweb cert will be signed by a "trusted" CA (aka
serverca in your ~/.koji/config file) while FAS will be the CA used to
sign cert used for kojid builders nodes and koji client (so for "users")


- -- 
Fabian Arrotin
The CentOS Project | http://www.centos.org
gpg key: 56BEC54E | twitter: @arrfab
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlYBP50ACgkQnVkHo1a+xU6/pgCggThZJiLGsmtJSFKYR81CwbW1
S0IAoJUMqCruHsJR5U/trLS2uHWXy7/Z
=lMpq
-----END PGP SIGNATURE-----