You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: .github/ISSUE_TEMPLATE/rebase.md
+19-12Lines changed: 19 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,16 +13,22 @@
13
13
14
14
### Untag old packages
15
15
16
-
`koji untag`N-2 packages from the pool (at some point we'll have GC in place to do this for us, but for now we must remember to do this manually or otherwise distRepo will fail once the signed packages are GC'ed). For example the following snippet finds all RPMs signed by the Fedora 32 key and untags them. Use this process:
16
+
`koji untag` packages from the pool that are not signed by any "active" release key (at some point we'll have GC in place to do this for us, but for now we must remember to do this manually or otherwise distRepo will fail once the signed packages are GC'ed). Active releases are N-1 and N. If branching for N+1 has already occurred, N+1 is also considered active. Use this process:
17
17
18
-
-[ ] Find the key short hash. Usually found [here](https://pagure.io/fedora-infra/ansible/blob/main/f/roles/bodhi2/backend/templates/pungi.rpm.conf.j2). Then:
18
+
-[ ] First, coordinate with releng to let them know you'll be untagging N-2 packages and that you'll need them to update `tag2distrepo.keys` on the `coreos-pool` tag promptly afterward (to drop the N-2 key). This minimizes the window where the key list is out of sync with what's tagged. Check the current state with:
19
+
-`koji taginfo coreos-pool`
20
+
21
+
-[ ] Find the key short hashes for all active releases. Usually found [here](https://pagure.io/fedora-infra/ansible/blob/main/f/roles/bodhi2/backend/templates/pungi.rpm.conf.j2). Then build the untaglist of packages not signed by any active key:
19
22
20
23
```
21
-
f32key=12c944d0
22
-
key=$f32key
24
+
fN2key=<N-2 key hash> # the key being removed
25
+
fN1key=<N-1 key hash> # active
26
+
fNkey=<N key hash> # active
27
+
fNp1key=<N+1 key hash> # active if branching has already occurred
28
+
23
29
echo > untaglist # create or empty out file
24
30
for build in $(koji list-tagged --quiet coreos-pool | cut -f1 -d' '); do
25
-
if koji buildinfo $build | grep -i $key 1>/dev/null; then
31
+
if ! koji buildinfo $build | grep -iE "($fN1key|$fNkey|$fNp1key)" 1>/dev/null; then
26
32
echo "Adding $build to untag list"
27
33
echo "${build}" >> untaglist
28
34
fi
@@ -31,18 +37,19 @@ done
31
37
32
38
Now we have a list of builds to untag. But we need a few more sanity checks.
33
39
34
-
-[ ]Make sure none of the builds are used in `N` based FCOS. Check by running:
40
+
-[ ]Check the current `testing-devel` image for packages signed with the N-2 key:
If there are any RPMs signed by the old key they'll need to be investigated. Maybe they shouldn't be used any longer. Or maybe they're still needed. One example of this is the shim RPM where the same build could be used for many Fedora releases. In this case you'll need to untag the RPM from `coreos-pool`, run a `koji distrepo`, which will remove that RPM from the repo metadata, and then re-tag it into the pool. The RPM in the repo will now be signed with a newer signing key.
48
+
If there are any packages in the output, there are two possible cases:
44
49
50
+
1.**The package is signed by multiple keys** including an older one. This is OK, but add it to the untaglist anyway so it gets retagged into `coreos-pool` with a newer key/signature. You'll need to untag the RPM from `coreos-pool`, run a `koji distrepo` (which will remove that RPM from the repo metadata), and then re-tag it into the pool. The RPM in the repo will now be signed with a newer signing key.
45
51
52
+
2.**The package is only signed by an older (non-active) key**. This needs investigation. Something in the compose may be pulling in a stale package (dep issue?). It should not be untagged until the root cause is understood.
-[ ] Now that untagging is done, give a heads up to rpm-ostree developers that N-2 packages have been untagged and that they may need to update their CI compose tests to freeze on a newer FCOS commit.
55
62
56
-
-[ ] Remove the N-2 signing key from the tag info for the coreos-pool tag. The following commands view the current settings and then update the list to the 33/34/35 keys. You'll most likely have to get someone from releng to run the second command (`edit-tag`).
63
+
-[ ] Remove the N-2 signing key from the tag info for the coreos-pool tag. The following commands view the current settings and then update the list to the N-1/N/N+1 keys. You'll most likely have to get someone from releng to run the second command (`edit-tag`).
0 commit comments