Flag Day 2016
On the 12th of December 2016 at 00:00UTC, there will be end user impacting changes the packager work flow.
Kerberos for Authentication
Koji supports multiple authentication mechanisms. Fedora infrastructure has set up a freeipa instance internally that has credential syncing to fas. We are working on ensuring that gssapi caching is supported so that you can have multiple TGT's and the ability to work in multiple realms at once. you can get started today by doing kinit <fas username>@FEDORAPROJECT.ORG if you move your ~/.fedora.cert file out of the way authentication will still work.
Well known ssl certificates for koji and pkgs
Using well known certs for koji.fedoraproject.org arm.koji.fedoraproject.org ppc.koji.fedoraproject.org s390.koji.fedoraproject.org pkgs.fedoraproject.org this is the last step needed to have fedoraproject.org switch to hsts and default to https:// when connecting to any fedora service. It will also remove a lot of questions that new people have when connecting to koji via https.
Disable SSL authentication in koji and pkgs
With the switch to kerberos and the change of ssl certificates on the koji and pkgs servers we will be disabling the ability to login to koji using a ssl certificate completely. This change will require new koji client configurations for everyone.
Gate rawhide builds
Gating will enable us to sign rawhide builds and switch the rawhide repo to having gpgcheck enabled.
Sha512 for sources
sources files will switch to use sha512 instead of md5 to identify upstream sources. You will need a new fedpkg that understands this format.
What do I have to do
In order to achieve everything we have to break end user configurations. All users will need to have new enough versions of fedora-packager, fedpkg, rpkg, koji. The exact versions are listed below. We will be aiming to have everything pushed stable right before the flag day. Some of the changes will not be compatible with the existing setup. We anticipate keeping everyone informed as we move forward about any actions that will need to be taken on the developer side.
Q&A
Please see the related and more general page on kerberos authentication in Fedora Infrastructure
- Question: what version(s) of all the packager tools will I need to be using on December 12th?
- Answer: These versions are needed. They may be still in updates-testing (you may even need to download from Koji):
- python2-cccolutils-1.4-1
- fedpkg-1.26-2
- fedora-packager-0.6.0.0-1
- pyrpkg-1.47-3
- koji-1.11.0-1
- Question: How does the rawhide gating work? Aren't you slowing things down?
- Answer: It works by landing all the rawhide builds in a pending tag. Then the autosigner signs them and places them into the normal rawhide tag. This is only delaying builds by how long it takes to sign them. We may add QA checks on this pending step later, but none are being added now.
- Question: What is this 'src.fedoraproject.org' ?
- Answer: This is the new place to download and view package specs / patches. Package maintainers will still need to use ssh to connect to pkgs.fedoraproject.org to commit changes, but https access will be via src.fedoraproject.org.
- Question: I get an error "SSL: CERTIFICATE_VERIFY_FAILED" when trying to use koji
- Answer: This means you have an outdated configuration file. Please make sure first that you have the package versions as described in the list above. If you do have those versions, please check if you have a /etc/koji.conf.rpmnew, in which case you need to move that to /etc/koji.conf. If you don't, check if you have a ~/.koji/config file, in which case you want to remove that.
- Question I get an error "(60, 'SSL certificate problem: self signed certificate in certificate chain')" when trying to use fedpkg
- Answer: This means you have an outdated configuration file. Please make sure first that you have the package versions as described in the list above. If you do have those versions, please check if you have a /etc/rpkg/fedpkg.conf.rpmnew, in which case you need to move that to /etc/rpkg/fedpkg.conf.