Bug 2328647

Summary: Review Request: trustee-attester - Attest and fetch secrets from Trustee
Product: [Fedora] Fedora Reporter: Uri Lublin <uril>
Component: Package ReviewAssignee: Nobody's working on this, feel free to take it <nobody>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: crobinso, package-review, vkuznets
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://github.com/confidential-containers/guest-components
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-12-16 09:56:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2327780, 2327782    
Bug Blocks:    

Description Uri Lublin 2024-11-25 11:04:11 UTC 
Spec URL: https://download.copr.fedorainfracloud.org/results/uril/trustee-attester/fedora-rawhide-x86_64/08309914-trustee-attester/trustee-attester.spec
SRPM URL: https://download.copr.fedorainfracloud.org/results/uril/trustee-attester/fedora-rawhide-x86_64/08309914-trustee-attester/trustee-attester-0.10.0-1.fc42.src.rpm

Description: A client to easily attest and fetch secrets (a.k.a confidential
resources) from Trustee.
When running in a confidential Virtual Machine, trustee-attester can be
used to get secrets from Trustee, after a successful attestation.

Fedora Account System Username: uril

Notes:
- Upstream git repository is https://github.com/confidential-containers/guest-components.
- There are not yet crates of this project in crates.io, and separation of code to
crates can still change.
- The tarball (Source0) was created from tag v0.10.0 with git archive, as currently
a tarball is not released.
Comment 1 Fedora Review Service 2024-11-25 11:06:47 UTC 
Copr build:
https://copr.fedorainfracloud.org/coprs/build/8310174
(failed)

Build log:
https://download.copr.fedorainfracloud.org/results/@fedora-review/fedora-review-2328647-trustee-attester/fedora-rawhide-x86_64/08310174-trustee-attester/builder-live.log.gz

Please make sure the package builds successfully at least for Fedora Rawhide.

- If the build failed for unrelated reasons (e.g. temporary network
  unavailability), please ignore it.
- If the build failed because of missing BuildRequires, please make sure they
  are listed in the "Depends On" field


---
This comment was created by the fedora-review-service
https://github.com/FrostyX/fedora-review-service

If you want to trigger a new Copr build, add a comment containing new
Spec and SRPM URLs or [fedora-review-service-build] string.
Comment 2 Vitaly Kuznetsov 2024-11-28 14:23:46 UTC 
Just a few comments:
- Why do we use 'trustee-attester' name for the source package? Upstream this is part of 'Confidential Container Tools and Components' so even if we don't package other tools from this collection now, they may come handy afterwards. Would it rather make sense to name the source package e.g. 'coco-guest-components'?

- Where does the manpage come from? Assuming it was written from scratch for Fedora, would it rather make sense to submit it upstream so it doesn't diverge when code changes?
Nitpick: I would suggest to not hardcode '.gz' for the manpage compression as these things tend to change. I'd rather do

%{_mandir}/man1/trustee-attester.1*

- It is a bit weird that the actual program comes from a patch (0001-Add-trustee-attester-a-simple-tool-to-fetch-secrets-.patch), this is fragile as it may stop building/working with upstream code changes. Any chance it can be pushed upstream?
Comment 3 Uri Lublin 2024-12-03 11:08:49 UTC 
Vitaly, thank you for reviewing.

(In reply to Vitaly Kuznetsov from comment #2)
> - Why do we use 'trustee-attester' name for the source package? Upstream
> this is part of 'Confidential Container Tools and Components' so even if we
> don't package other tools from this collection now, they may come handy
> afterwards. Would it rather make sense to name the source package e.g.
> 'coco-guest-components'?

That's a good point. I was thinking about it too.
Currently the project does not publish crates on crates.io.
When that happens the number of crates may change - for example, there
may be only 1 'dep' crate instead of 3.
Possibly trustee-attester will get its own crate in the future.

> 
> - Where does the manpage come from? Assuming it was written from scratch for
> Fedora, would it rather make sense to submit it upstream so it doesn't
> diverge when code changes?
It was written from scratch for Fedora.
I'll send it upstream too.

> Nitpick: I would suggest to not hardcode '.gz' for the manpage compression
> as these things tend to change. I'd rather do
> 
> %{_mandir}/man1/trustee-attester.1*

I'll do that.


> 
> - It is a bit weird that the actual program comes from a patch
> (0001-Add-trustee-attester-a-simple-tool-to-fetch-secrets-.patch), this is
> fragile as it may stop building/working with upstream code changes. Any
> chance it can be pushed upstream?
It is a bit weird. It's already pushed upstream, but not in release 0.10.0.
I can create a tarball based on 'main' (and git describe), instead of 'v0.10.0'
Comment 4 Uri Lublin 2024-12-16 09:52:07 UTC 
Following the suggestions by Vitaly in comment 2:
1. The package is to be renamed to trustee-guest-components.
   This ReviewRequest bug is to be closed. A new ReviewRequest for trustee-guest-components was created (bug 2332550).
2. The manpage is removed. Once sent and accepted upstream, it will be re-added.
3. The source is now based on a specific commit, and not on v0.10.0
4. There is no need for attestation-agent/deps/sev and so it too is removed from workspace members.
Comment 5 Uri Lublin 2024-12-16 09:56:08 UTC 

*** This bug has been marked as a duplicate of bug 2332550 ***