Using git:// does not provide any protection against MITM attackers rewriting the spec file etc., later resulting in arbitrary code execution in the development environment. This requires server-side changes first: https://pkgs.fedoraproject.org/ needs to use a proper X.509 certificate. I don't know where to request this, pointers welcome.
Fedora infrastructure ticket: https://fedorahosted.org/fedora-infrastructure/ticket/2324
Per https://pagure.io/fedora-infrastructure/issue/2324#comment-46084, I believe this can now be fixed in fedpkg.
Patch: https://pagure.io/fedpkg/pull-request/94
(In reply to cqi from comment #3) > Patch: https://pagure.io/fedpkg/pull-request/94 Merged.
Patch works for fedpkg. But, unfortunately, it doesn't work for Koji. fedpkg -d -v build Creating repo object from /home/cqi/packages/fedora/rpkg Initiating a koji session to https://koji.fedoraproject.org/kojihub Building rpkg-1.47-6.fc25 for f25-candidate Building https://src.fedoraproject.org/git/rpms/rpkg?#d139c2a012e5ec7314785d3ad686bddd498eee63 for f25-candidate with options {} and a priority of None koji build f25-candidate https://src.fedoraproject.org/git/rpms/rpkg?#d139c2a012e5ec7314785d3ad686bddd498eee63 Created task: 16904151 Task info: https://koji.fedoraproject.org/koji/taskinfo?taskID=16904151 Watching tasks (this may be safely interrupted)... 16904151 build (f25-candidate, /git/rpms/rpkg:d139c2a012e5ec7314785d3ad686bddd498eee63): open (buildvm-05.phx2.fedoraproject.org) 16904151 build (f25-candidate, /git/rpms/rpkg:d139c2a012e5ec7314785d3ad686bddd498eee63): open (buildvm-05.phx2.fedoraproject.org) -> FAILED: Action NotAllowed: policy violation (build_from_srpm) 0 free 0 open 0 done 1 failed I'll disable this change in package in order to ensure it does not block new release before it is resolved.
Issue is reported at fedora-infra, https://pagure.io/fedora-infrastructure/issue/5636
Following up... Now that https://pagure.io/fedora-infrastructure/issue/5636 has been determined not to be a valid bug, can the change be reenabled in the fedpkg RPM?
Hi Matt, sure. It's in plan.
Ping... What is holding this up? All that has to be done is remove 0001-Disable-anongiturl-over-https.patch, right?
Change status to NEW. By switching to https:// for an anonymous clone, koji fails to build. An example of failure build is https://koji.fedoraproject.org/koji/taskinfo?taskID=18008897 Related bug 1425913 So, for now, just revert the fix, let fedpkg use original anongiturl.
So, today we had a ton of people hitting git://pkgs and causing problems with the machine, so we disabled that, thinking it was already all switched over, but alas, not. ;( So, what we need here is something that works for anon git checkouts, which: anongiturl = https://src.fedoraproject.org/%(module)s does. But also something that koji can parse correctly to build from a specific git hash. I think we will need to see what koji does to process the url and adjust infrastructure or perhaps patch koji to make it all come out right. In any case we really want to keep git://pkgs gone if we can at all.
Hi Kevin, Here is a build https://koji.fedoraproject.org/koji/taskinfo?taskID=22079763 which builds from source https://src.fedoraproject.org/git/rpms/fedpkg?#17dfacad8c9113cd19de5a2134047e0ae5ea2a98 and fails. That is what I reported before in fedora-infra and it still happens. What anonymous source URL koji can build from?
Hi Kevin, I just tried a scratch build[1] from new anongiturl with prefix git+https://, it fails and error is BuildError: src.fedoraproject.org:/git/rpms/python-multilib is not in the list of allowed SCMs [1] https://koji.fedoraproject.org/koji/taskinfo?taskID=22080126
So, we may need to adjust the list of allowed SCM's here. https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/koji_builder/templates/kojid.conf#n93 For now I am going to revert our git://pkgs removal until we have fedpkg ready for the change. Can you also test in staging? It seems like it has more scm urls setup.
Scratch build in prod and stg koji still fails Building fedpkg-1.29-5.fc28 for rawhide Created task: 22091903 Task info: https://koji.fedoraproject.org/koji/taskinfo?taskID=22091903 Watching tasks (this may be safely interrupted)... 22091903 build (rawhide, /git/rpms/fedpkg:17dfacad8c9113cd19de5a2134047e0ae5ea2a98): open (buildvm-11.phx2.fedoraproject.org) 22091904 buildSRPMFromSCM (/git/rpms/fedpkg:17dfacad8c9113cd19de5a2134047e0ae5ea2a98): free 22091904 buildSRPMFromSCM (/git/rpms/fedpkg:17dfacad8c9113cd19de5a2134047e0ae5ea2a98): free -> FAILED: BuildError: src.fedoraproject.org:/git/rpms/fedpkg is not in the list of allowed SCMs 0 free 1 open 0 done 1 failed 22091903 build (rawhide, /git/rpms/fedpkg:17dfacad8c9113cd19de5a2134047e0ae5ea2a98): open (buildvm-11.phx2.fedoraproject.org) -> FAILED: BuildError: src.fedoraproject.org:/git/rpms/fedpkg is not in the list of allowed SCMs 0 free 0 open 0 done 2 failed Building fedpkg-1.29-5.fc27 for rawhide Created task: 90485602 Task info: https://koji.stg.fedoraproject.org/koji/taskinfo?taskID=90485602 Watching tasks (this may be safely interrupted)... 90485602 build (rawhide, /git/rpms/fedpkg:17dfacad8c9113cd19de5a2134047e0ae5ea2a98): free 90485602 build (rawhide, /git/rpms/fedpkg:17dfacad8c9113cd19de5a2134047e0ae5ea2a98): free -> open (buildvm-03.stg.phx2.fedoraproject.org) 90485605 buildSRPMFromSCM (/git/rpms/fedpkg:17dfacad8c9113cd19de5a2134047e0ae5ea2a98): open (buildvm-04.stg.phx2.fedoraproject.org) 90485602 build (rawhide, /git/rpms/fedpkg:17dfacad8c9113cd19de5a2134047e0ae5ea2a98): open (buildvm-03.stg.phx2.fedoraproject.org) -> FAILED: BuildError: src.stg.fedoraproject.org:/git/rpms/fedpkg is not in the list of allowed SCMs 0 free 1 open 0 done 1 failed 90485605 buildSRPMFromSCM (/git/rpms/fedpkg:17dfacad8c9113cd19de5a2134047e0ae5ea2a98): open (buildvm-04.stg.phx2.fedoraproject.org) -> FAILED: BuildError: src.stg.fedoraproject.org:/git/rpms/fedpkg is not in the list of allowed SCMs 0 free 0 open 0 done 2 failed
Please try stg again now?
Hi Kevin, I can build in prod Koji, build https://koji.fedoraproject.org/koji/taskinfo?taskID=22123311 But, I can't get my stg Kerberos ticket. Get error kinit: Cannot contact any KDC for realm 'STG.FEDORAPROJECT.ORG' while getting initial credentials
Patch: rpkg: https://pagure.io/rpkg/pull-request/249 fedpkg: https://pagure.io/fedpkg/pull-request/147
(In reply to cqi from comment #17) > Hi Kevin, > > I can build in prod Koji, build > https://koji.fedoraproject.org/koji/taskinfo?taskID=22123311 > > But, I can't get my stg Kerberos ticket. Get error > > kinit: Cannot contact any KDC for realm 'STG.FEDORAPROJECT.ORG' while > getting initial credentials Should be fixed now...
(In reply to Kevin Fenzi from comment #19) > (In reply to cqi from comment #17) > > Hi Kevin, > > > > I can build in prod Koji, build > > https://koji.fedoraproject.org/koji/taskinfo?taskID=22123311 > > > > But, I can't get my stg Kerberos ticket. Get error > > > > kinit: Cannot contact any KDC for realm 'STG.FEDORAPROJECT.ORG' while > > getting initial credentials > > Should be fixed now... Confirmed, works.
ok, so works for builds in both stg and prod? So, we should be able to push out a new fedpkg/rpkg with this soon? Or do we need to change anything on the server end?
Hi Kevin, new version will be released soon.
rpkg-1.51-1.fc27 fedpkg-1.30-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-9cac2b8b4a
rpkg-1.51-1.fc26 fedpkg-1.30-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-ea72793352
rpkg-1.51-1.fc25 fedpkg-1.30-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-f5ad4107cc
rpkg-1.51-1.el6 fedpkg-1.30-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-68e2defc4c
rpkg-1.51-1.el7 fedpkg-1.30-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5e4edb1320
Hi Kevin, is it time to enable build from anonymous clone? New version of fedpkg is in Bodhi updates now. It would be good to enable it in case someone tests it. What do you think? Thanks.
fedpkg-1.30-1.fc27, rpkg-1.51-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-9cac2b8b4a
fedpkg-1.30-1.el7, rpkg-1.51-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5e4edb1320
fedpkg-1.30-1.fc25, rpkg-1.51-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-f5ad4107cc
fedpkg-1.30-1.fc26, rpkg-1.51-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-ea72793352
fedpkg-1.30-1.el6, rpkg-1.51-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-68e2defc4c
fedpkg-1.30-1.fc27 rpkg-1.51-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-9cac2b8b4a
fedpkg-1.30-2.fc27, rpkg-1.51-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-9cac2b8b4a
fedpkg-1.30-2.fc26 rpkg-1.51-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-ea72793352
fedpkg-1.30-2.fc25 rpkg-1.51-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-f5ad4107cc
fedpkg-1.30-2.el6 rpkg-1.51-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-68e2defc4c
fedpkg-1.30-2.el7 rpkg-1.51-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5e4edb1320
fedpkg-1.30-2.el6, rpkg-1.51-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-68e2defc4c
fedpkg-1.30-2.fc25, rpkg-1.51-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-f5ad4107cc
fedpkg-1.30-2.el7, rpkg-1.51-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5e4edb1320
fedpkg-1.30-2.fc26, rpkg-1.51-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-ea72793352
The URL has been fixed in the upstream repo to the working one. Please fix that.
fedpkg-1.30-3.fc27 rpkg-1.51-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-9cac2b8b4a
fedpkg-1.30-3.fc25 rpkg-1.51-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-f5ad4107cc
fedpkg-1.30-3.el7 rpkg-1.51-1.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5e4edb1320
fedpkg-1.30-3.el6 rpkg-1.51-1.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-68e2defc4c
fedpkg-1.30-3.fc26 rpkg-1.51-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-ea72793352
fedpkg-1.30-3.el6, rpkg-1.51-1.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-68e2defc4c
fedpkg-1.30-3.fc25, rpkg-1.51-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-f5ad4107cc
fedpkg-1.30-3.el7, rpkg-1.51-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5e4edb1320
fedpkg-1.30-3.fc26, rpkg-1.51-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-ea72793352
fedpkg-1.30-3.fc27, rpkg-1.51-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-9cac2b8b4a
fedpkg-1.30-4.el7 rpkg-1.51-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5e4edb1320
fedpkg-1.30-4.el6 rpkg-1.51-2.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-68e2defc4c
fedpkg-1.30-4.fc25 rpkg-1.51-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-f5ad4107cc
fedpkg-1.30-4.fc26 rpkg-1.51-2.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-ea72793352
fedpkg-1.30-4.fc27 rpkg-1.51-2.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-9cac2b8b4a
fedpkg-1.30-4.fc27, rpkg-1.51-2.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-9cac2b8b4a
fedpkg-1.30-4.fc25, rpkg-1.51-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-f5ad4107cc
fedpkg-1.30-4.el6, rpkg-1.51-2.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-68e2defc4c
fedpkg-1.30-4.el7, rpkg-1.51-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2017-5e4edb1320
fedpkg-1.30-4.fc26, rpkg-1.51-2.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-ea72793352
fedpkg-1.30-4.fc27, rpkg-1.51-2.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
fedpkg-1.30-4.fc26, rpkg-1.51-2.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
fedpkg-1.30-4.fc25, rpkg-1.51-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
fedpkg-1.30-4.el7, rpkg-1.51-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
fedpkg-1.30-4.el6, rpkg-1.51-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.