Closed ralphbean closed 6 years ago
Further update from IRC:
dgilmore │ we should not use --force
dgilmore │ but we should look at making changes to koji first to enable better enforcement of what we want
dgilmore │ but short term we could add bodhi to secure-boot or update the policy to directly allow admin to tag everything
dgilmore │ I just want a concrete plan and ideally making sure that only the proper people can submit builds
I've never seen this happen since I've been working on Bodhi, and hadn't noticed this ticket until today. I think it is probably safe to close. Do you agree @ralphbean?
Yeah, I guess it is a non-issue if I'm the one who ran into it. I don't own any of those super crazy secure-boot packages. :) The owners there must have some workflow that doesn't bump them into this issue (or something..). Closing!
Sometimes, bodhi will throw this back at you if you try to edit an update that has certain packages in it.
I tracked it down today to our production koji policy here: https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/koji_hub/templates/hub.conf.j2#n79
the bodhi user has the
admin
perm, but not thesecure-boot
perm, so it is unable to fiddle with tags on those packages.I proposed to @ausil that we add an extra line at the top to let bodhi operate on these packages, like this:
Here's the log from IRC:
We got cut off in conversation because dennis had to catch a flight. It seems like he was suggesting that we either 1) patch bodhi to pass --force to work around the incorrect koji config or 2) patch koji to do something else. It seems to me like adjusting our prod koji policy config in ansible would be the easiest.