Skip to content

Instantly share code, notes, and snippets.

@kparal

kparal/fedora-release.diff Secret

Last active Feb 12, 2021
Embed
What would you like to do?
fedora releasever=rawhide https://pagure.io/releng/issue/7445
commit 77a0f46ca6bcd322b62a43fdcac4a97fe5ff7887
Author: Kamil Páral <kparal@redhat.com>
Date: Thu Apr 19 16:20:56 2018 +0200
make $releasever return "rawhide" on Rawhide
This is a fairly significant change which will make $releasever (as understood
by dnf) return "rawhide" instead of a number (e.g. 35) for Rawhide users. The
purpose is to have a constant identifier, that developers and repo owners can
rely on. This will make Rawhide a true rolling release which won't need careful
adjustments every time we branch - once on Rawhide, you'll always stay on
Rawhide. This should also significantly simplify repo management, because repos
will no longer need a separate config for Rawhide which is different from stable
releases. The same config file containing "$releasever" can be used (instead of
hardcoding "rawhide" in URL), and it will resolve correctly to a "rawhide/"
directory on the repo server.
The overall hope is that this change should help users (system maintenance),
developers (simplifying automation) and repo owners (release differentiation no
longer needed). Please read the included link for a longer discussion.
This change introduces a new variable `is_rawhide`, which should be set to `1`
or `0`, depending on whether this release is Rawhide or not. It will then set
some additional variables automatically, to simplify specfile maintenance.
This change is made possible by dnf looking at package provides, when
determining $releasever, and `system-release(releasever)` is the first provides
it looks at. We don't use it in stable releases, but we can set the value on
Rawhide and it will have precedence.
This change will also need an accompanying change in fedora-repos, to be
committed and built together.
Related: https://pagure.io/releng/issue/7445
diff --git a/fedora-release.spec b/fedora-release.spec
index 9b02cb4..51a234f 100644
--- a/fedora-release.spec
+++ b/fedora-release.spec
@@ -1,10 +1,18 @@
%define release_name Rawhide
+%define is_rawhide 1
+
%define dist_version 35
%define rhel_dist_version 9
-%define bug_version rawhide
-# Change this when branching to fNN
+%if %{is_rawhide}
+%define bug_version rawhide
+%define releasever rawhide
%define doc_version rawhide
+%else
+%define bug_version %{dist_version}
+%define releasever %{dist_version}
+%define doc_version f%{dist_version}
+%endif
%if 0%{?eln}
%bcond_with basic
@@ -50,7 +58,7 @@
Summary: Fedora release files
Name: fedora-release
Version: 35
-Release: 0.1%{?eln:.eln%{eln}}
+Release: 0.10%{?eln:.eln%{eln}}
License: MIT
URL: https://fedoraproject.org/
@@ -107,6 +115,12 @@ Suggests: fedora-release
Requires: fedora-repos(%{version})
Requires: fedora-release-identity = %{version}-%{release}
+%if %{is_rawhide}
+# Make $releasever return "rawhide" on Rawhide
+# https://pagure.io/releng/issue/7445
+Provides: system-release(releasever) = %{releasever}
+%endif
+
# Fedora ships a generic-release package to make the creation of Remixes
# easier, but it cannot coexist with the fedora-release[-*] packages, so we
# will explicitly conflict with it.
commit f0e2d5a9c513a3b9246e56165de3e444e9eaf754
Author: Kamil Páral <kparal@redhat.com>
Date: Fri Feb 12 12:43:21 2021 +0100
make archmap entries mandatory, except symlinks
All GPG keys except symlinks must now have an entry in archmap. This is to
increase reliability and avoid frequent errors when updating this spec file.
diff --git a/archmap b/archmap
index e4793c4..63d86ce 100644
--- a/archmap
+++ b/archmap
@@ -1,8 +1,10 @@
fedora-7-primary: i386 x86_64 ppc ppc64
fedora-8-primary: i386 x86_64 ppc ppc64
+fedora-8-primary-original:
fedora-9-primary: i386 x86_64 ppc ppc64
+fedora-9-primary-original:
fedora-9-secondary: ia64
fedora-10-primary: i386 x86_64 ppc ppc64
@@ -19,7 +21,7 @@ fedora-13-secondary: arm mips
fedora-14-primary: i386 x86_64
fedora-14-secondary: arm
-fedora-15-primary: i386 x86_64
+fedora-15-primary: i386 x86_64
fedora-15-secondary: arm armhfp ppc ppc64 s390 s390x
fedora-16-primary: i386 x86_64
@@ -60,6 +62,7 @@ fedora-27-primary: i386 x86_64 armhfp aarch64 ppc64 ppc64le s390x
fedora-28-primary: i386 x86_64 armhfp aarch64 ppc64 ppc64le s390x
fedora-29-primary: i386 x86_64 armhfp aarch64 ppc64 ppc64le s390x
+fedora-modularity:
fedora-30-primary: i386 x86_64 armhfp aarch64 ppc64le s390x
@@ -76,7 +79,3 @@ fedora-34-primary: i386 x86_64 armhfp aarch64 ppc64le s390x
fedora-35-primary: x86_64 armhfp aarch64 ppc64le s390x
fedora-36-primary: x86_64 armhfp aarch64 ppc64le s390x
-
-fedora-rawhide-primary: x86_64 armhfp aarch64 ppc64le s390x
-
-fedora-eln-primary: i386 x86_64 aarch64 ppc64le s390x
diff --git a/fedora-repos.spec b/fedora-repos.spec
index 12f2597..2a89673 100644
--- a/fedora-repos.spec
+++ b/fedora-repos.spec
@@ -3,7 +3,7 @@
Summary: Fedora package repositories
Name: fedora-repos
Version: 35
-Release: 0.10%{?eln:.eln%{eln}}
+Release: 0.11%{?eln:.eln%{eln}}
License: MIT
URL: https://fedoraproject.org/
@@ -170,9 +170,14 @@ pushd $RPM_BUILD_ROOT/etc/pki/rpm-gpg/
ln -s RPM-GPG-KEY-fedora-%{rawhide_release}-primary RPM-GPG-KEY-fedora-rawhide-primary
ln -s RPM-GPG-KEY-fedora-%{rawhide_release}-primary RPM-GPG-KEY-fedora-eln-primary
for keyfile in RPM-GPG-KEY*; do
- key=${keyfile#RPM-GPG-KEY-} # e.g. 'fedora-20-primary'
- arches=$(sed -ne "s/^${key}://p" %{_sourcedir}/archmap) \
- || echo "WARNING: no archmap entry for $key"
+ # resolve symlinks, so that we don't need to keep duplicate entries in archmap
+ real_keyfile=$(basename $(readlink -f $keyfile))
+ key=${real_keyfile#RPM-GPG-KEY-} # e.g. 'fedora-20-primary'
+ if ! grep -q "^${key}:" %{_sourcedir}/archmap; then
+ echo "ERROR: no archmap entry for $key"
+ exit 1
+ fi
+ arches=$(sed -ne "s/^${key}://p" %{_sourcedir}/archmap)
for arch in $arches; do
# replace last part with $arch (fedora-20-primary -> fedora-20-$arch)
ln -s $keyfile ${keyfile%%-*}-$arch # NOTE: RPM replaces %% with %
commit f0eb0bbf27553efc15b354502b0aefffc55452bb
Author: Kamil Páral <kparal@redhat.com>
Date: Fri Feb 12 12:35:11 2021 +0100
support $releasever=rawhide on Rawhide
This commit is necessary to support a fedora-release change which makes
$releasever return "rawhide" on Rawhide (please read that commit first).
The most important change here is the introduction of the
`RPM-GPG-KEY-fedora-rawhide-primary` symlink to the current (numbered) Rawhide
key. This is necessary because $releasever resolves to "rawhide" now and
therefore the file must be present under the "rawhide" name.
There's an additional change present, which seemed related enough to include it
in the same commit - the Fedora 36 GPG key is added and it is referenced in
Rawhide repo files. The purpose is to have a reliable update process which
doesn't break just because users didn't update their system in a month (and
therefore missed the window during which gpg keys are changed). This problem
might be even more pronounced after this patch and therefore should be addressed
together. The fix also paves way for future simplification of fedora-repos (no
need for separate rawhide repo files, perhaps).
Additional checks have been added to reduce the likelihood of human errors when
Rawhide number is bumped.
Related: https://pagure.io/releng/issue/7445
diff --git a/RPM-GPG-KEY-fedora-36-primary b/RPM-GPG-KEY-fedora-36-primary
new file mode 100644
index 0000000..899affa
--- /dev/null
+++ b/RPM-GPG-KEY-fedora-36-primary
@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGAcScoBEADLf8YHkezJ6adlMYw7aGGIlJalt8Jj2x/B2K+hIfIuxGtpVj7e
+LRgDU76jaT5pVD5mFMJ3pkeneR/cTmqqQkNyQshX2oQXwEzUSb1CNMCfCGgkX8Q2
+zZkrIcCrF0Q2wrKblaudhU+iVanADsm18YEqsb5AU37dtUrM3QYdWg9R+XiPfV8R
+KBjT03vVBOdMSsY39LaCn6Ip1Ovp8IEo/IeEVY1qmCOPAaK0bJH3ufg4Cueks+TS
+wQWTeCLxuZL6OMXoOPKwvMQfxbg1XD8vuZ0Ktj/cNH2xau0xmsAu9HJpekvOPRxl
+yqtjyZfroVieFypwZgvQwtnnM8/gSEu/JVTrY052mEUT7Ccb74kcHFTFfMklnkG/
+0fU4ARa504H3xj0ktbe3vKcPXoPOuKBVsHSv00UGYAyPeuy+87cU/YEhM7k3SVKj
+6eIZgyiMO0wl1YGDRKculwks9A+ulkg1oTb4s3zmZvP07GoTxW42jaK5WS+NhZee
+860XoVhbc1KpS+jfZojsrEtZ8PbUZ+YvF8RprdWArjHbJk2JpRKAxThxsQAsBhG1
+0Lux2WaMB0g2I5PcMdJ/cqjo08ccrjBXuixWri5iu9MXp8qT/fSzNmsdIgn8/qZK
+i8Qulfu77uqhW/wt2btnitgRsqjhxMujYU4Zb4hktF8hKU/XX742qhL5KwARAQAB
+tDFGZWRvcmEgKDM1KSA8ZmVkb3JhLTM1LXByaW1hcnlAZmVkb3JhcHJvamVjdC5v
+cmc+iQJOBBMBCAA4FiEEeH6mrhFH7uVsQLMM20Y5cZhnxY8FAmAcScoCGw8FCwkI
+BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ20Y5cZhnxY+NYA/7BYpglySAZYHhjyKh
+/+f6zPfVvbH20Eq3kI7OFBN0nLX+BU1muvS+qTuS3WLrB3m3GultpKREJKLtm5ED
+1rGzXAoT1yp9YI8LADdMCCOyjAjsoWU87YUuC+/bnjrTeR2LROCfyPC76W985iOV
+m5S+bsQDw7C2LrldAM4MDuoyZ1SitGaZ4KQLVt+TEa14isYSGCjzo7PY8V3JOk50
+gqWg82N/bm2EzS7T83WEDb1lvj4IlvxgIqKeg11zXYxmrYSZJJCfvzf+lNS6uxgH
+jx/J0ylZ2LibGr6GAAyO9UWrAZSwSM0EcjT8wECnxkSDuyqmWwVvNBXuEIV8Oe3Y
+MiU1fJN8sd7DpsFx5M+XdnMnQS+HrjTPKD3mWrlAdnEThdYV8jZkpWhDys3/99eO
+hk0rLny0jNwkauf/iU8Oc6XvMkjLRMJg5U9VKyJuWWtzwXnjMN5WRFBqK4sZomMM
+ftbTH1+5ybRW/A3vBbaxRW2t7UzNjczekSZEiaLN9L/HcJCIR1QF8682DdAlEF9d
+k2gQiYSQAaaJ0JJAzHvRkRJLLgK2YQYiHNVy2t3JyFfsram5wSCWOfhPeIyLBTZJ
+vrpNlPbefsT957Tf2BNIugzZrC5VxDSKkZgRh1VGvSIQnCyzkQy6EU2qPpiW59G/
+hPIXZrKocK3KLS9/izJQTRltjMA=
+=PfT7
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/archmap b/archmap
index e80ecbd..e4793c4 100644
--- a/archmap
+++ b/archmap
@@ -75,4 +75,8 @@ fedora-34-primary: i386 x86_64 armhfp aarch64 ppc64le s390x
fedora-35-primary: x86_64 armhfp aarch64 ppc64le s390x
+fedora-36-primary: x86_64 armhfp aarch64 ppc64le s390x
+
+fedora-rawhide-primary: x86_64 armhfp aarch64 ppc64le s390x
+
fedora-eln-primary: i386 x86_64 aarch64 ppc64le s390x
diff --git a/fedora-repos.spec b/fedora-repos.spec
index c1c7f4e..12f2597 100644
--- a/fedora-repos.spec
+++ b/fedora-repos.spec
@@ -3,7 +3,7 @@
Summary: Fedora package repositories
Name: fedora-repos
Version: 35
-Release: 0.1%{?eln:.eln%{eln}}
+Release: 0.10%{?eln:.eln%{eln}}
License: MIT
URL: https://fedoraproject.org/
@@ -72,6 +72,10 @@ Source52: RPM-GPG-KEY-fedora-32-primary
Source53: RPM-GPG-KEY-fedora-33-primary
Source54: RPM-GPG-KEY-fedora-34-primary
Source55: RPM-GPG-KEY-fedora-35-primary
+Source56: RPM-GPG-KEY-fedora-36-primary
+# When bumping Rawhide to fN, create N+1 key (and update archmap). (This
+# ensures users have the next future key installed and referenced, even if they
+# don't update very often. This will smooth out Rawhide N->N+1 transition for them).
Source100: fedora-modular.repo
Source101: fedora-updates-modular.repo
@@ -162,7 +166,8 @@ install -m 644 %{_sourcedir}/RPM-GPG-KEY* $RPM_BUILD_ROOT/etc/pki/rpm-gpg/
# says "fedora-19-primary: i386 x86_64",
# RPM-GPG-KEY-fedora-19-{i386,x86_64} will be symlinked to that key.
pushd $RPM_BUILD_ROOT/etc/pki/rpm-gpg/
-# Also add a symlink for ELN keys
+# Also add a symlink for Rawhide and ELN keys
+ln -s RPM-GPG-KEY-fedora-%{rawhide_release}-primary RPM-GPG-KEY-fedora-rawhide-primary
ln -s RPM-GPG-KEY-fedora-%{rawhide_release}-primary RPM-GPG-KEY-fedora-eln-primary
for keyfile in RPM-GPG-KEY*; do
key=${keyfile#RPM-GPG-KEY-} # e.g. 'fedora-20-primary'
@@ -177,6 +182,17 @@ done
ln -s RPM-GPG-KEY-fedora-%{version}-primary RPM-GPG-KEY-%{version}-fedora
popd
+# Adjust Rawhide repo files to include Rawhide+1 GPG key.
+# This is necessary for the period when Rawhide gets bumped to N+1 and packages
+# start to be signed with a newer key. Without having the key specified in the
+# repo file, the system would consider the new packages as untrusted.
+rawhide_next=$((%{rawhide_release}+1))
+for repo in %{_sourcedir}/fedora-rawhide*.repo; do
+ sed -ir "s@^gpgkey=.*@& file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-${rawhide_next}-\$basearch@" \
+ $repo || exit 1
+done
+
+# Install repo files
install -d -m 755 $RPM_BUILD_ROOT/etc/yum.repos.d
for file in %{_sourcedir}/fedora*repo ; do
install -m 644 $file $RPM_BUILD_ROOT/etc/yum.repos.d
@@ -198,6 +214,28 @@ for repo in $RPM_BUILD_ROOT/etc/yum.repos.d/fedora-{rawhide,eln}*.repo; do
%endif
done
+# make sure the Rawhide+1 key wasn't forgotten to be created
+rawhide_next=$((%{rawhide_release}+1))
+if ! test -f $RPM_BUILD_ROOT/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-${rawhide_next}-primary; then
+ echo "ERROR: GPG key for Fedora ${rawhide_next} is not present"
+ exit 1
+fi
+
+# make sure the Rawhide+1 key is present in Rawhide repo files
+for repo in $RPM_BUILD_ROOT/etc/yum.repos.d/fedora-rawhide*.repo; do
+ gpg_lines=$(grep '^gpgkey=' $repo)
+ if test -z "$gpg_lines"; then
+ echo "ERROR: No gpgkey= lines in $repo"
+ exit 1
+ fi
+ while IFS= read -r line; do
+ if ! echo "$line" | grep -q "RPM-GPG-KEY-fedora-${rawhide_next}"; then
+ echo "ERROR: Fedora ${rawhide_next} GPG key missing in $repo"
+ exit 1
+ fi
+ done <<< "$gpg_lines"
+done
+
%files
%dir /etc/yum.repos.d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment