-
-
Save kparal/b9a35d2b66e5401914f4cd67973e0864 to your computer and use it in GitHub Desktop.
fedora releasever=rawhide https://pagure.io/releng/issue/7445
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 77a0f46ca6bcd322b62a43fdcac4a97fe5ff7887 | |
Author: Kamil Páral <kparal@redhat.com> | |
Date: Thu Apr 19 16:20:56 2018 +0200 | |
make $releasever return "rawhide" on Rawhide | |
This is a fairly significant change which will make $releasever (as understood | |
by dnf) return "rawhide" instead of a number (e.g. 35) for Rawhide users. The | |
purpose is to have a constant identifier, that developers and repo owners can | |
rely on. This will make Rawhide a true rolling release which won't need careful | |
adjustments every time we branch - once on Rawhide, you'll always stay on | |
Rawhide. This should also significantly simplify repo management, because repos | |
will no longer need a separate config for Rawhide which is different from stable | |
releases. The same config file containing "$releasever" can be used (instead of | |
hardcoding "rawhide" in URL), and it will resolve correctly to a "rawhide/" | |
directory on the repo server. | |
The overall hope is that this change should help users (system maintenance), | |
developers (simplifying automation) and repo owners (release differentiation no | |
longer needed). Please read the included link for a longer discussion. | |
This change introduces a new variable `is_rawhide`, which should be set to `1` | |
or `0`, depending on whether this release is Rawhide or not. It will then set | |
some additional variables automatically, to simplify specfile maintenance. | |
This change is made possible by dnf looking at package provides, when | |
determining $releasever, and `system-release(releasever)` is the first provides | |
it looks at. We don't use it in stable releases, but we can set the value on | |
Rawhide and it will have precedence. | |
This change will also need an accompanying change in fedora-repos, to be | |
committed and built together. | |
Related: https://pagure.io/releng/issue/7445 | |
diff --git a/fedora-release.spec b/fedora-release.spec | |
index 9b02cb4..51a234f 100644 | |
--- a/fedora-release.spec | |
+++ b/fedora-release.spec | |
@@ -1,10 +1,18 @@ | |
%define release_name Rawhide | |
+%define is_rawhide 1 | |
+ | |
%define dist_version 35 | |
%define rhel_dist_version 9 | |
-%define bug_version rawhide | |
-# Change this when branching to fNN | |
+%if %{is_rawhide} | |
+%define bug_version rawhide | |
+%define releasever rawhide | |
%define doc_version rawhide | |
+%else | |
+%define bug_version %{dist_version} | |
+%define releasever %{dist_version} | |
+%define doc_version f%{dist_version} | |
+%endif | |
%if 0%{?eln} | |
%bcond_with basic | |
@@ -50,7 +58,7 @@ | |
Summary: Fedora release files | |
Name: fedora-release | |
Version: 35 | |
-Release: 0.1%{?eln:.eln%{eln}} | |
+Release: 0.10%{?eln:.eln%{eln}} | |
License: MIT | |
URL: https://fedoraproject.org/ | |
@@ -107,6 +115,12 @@ Suggests: fedora-release | |
Requires: fedora-repos(%{version}) | |
Requires: fedora-release-identity = %{version}-%{release} | |
+%if %{is_rawhide} | |
+# Make $releasever return "rawhide" on Rawhide | |
+# https://pagure.io/releng/issue/7445 | |
+Provides: system-release(releasever) = %{releasever} | |
+%endif | |
+ | |
# Fedora ships a generic-release package to make the creation of Remixes | |
# easier, but it cannot coexist with the fedora-release[-*] packages, so we | |
# will explicitly conflict with it. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit f0e2d5a9c513a3b9246e56165de3e444e9eaf754 | |
Author: Kamil Páral <kparal@redhat.com> | |
Date: Fri Feb 12 12:43:21 2021 +0100 | |
make archmap entries mandatory, except symlinks | |
All GPG keys except symlinks must now have an entry in archmap. This is to | |
increase reliability and avoid frequent errors when updating this spec file. | |
diff --git a/archmap b/archmap | |
index e4793c4..63d86ce 100644 | |
--- a/archmap | |
+++ b/archmap | |
@@ -1,8 +1,10 @@ | |
fedora-7-primary: i386 x86_64 ppc ppc64 | |
fedora-8-primary: i386 x86_64 ppc ppc64 | |
+fedora-8-primary-original: | |
fedora-9-primary: i386 x86_64 ppc ppc64 | |
+fedora-9-primary-original: | |
fedora-9-secondary: ia64 | |
fedora-10-primary: i386 x86_64 ppc ppc64 | |
@@ -19,7 +21,7 @@ fedora-13-secondary: arm mips | |
fedora-14-primary: i386 x86_64 | |
fedora-14-secondary: arm | |
-fedora-15-primary: i386 x86_64 | |
+fedora-15-primary: i386 x86_64 | |
fedora-15-secondary: arm armhfp ppc ppc64 s390 s390x | |
fedora-16-primary: i386 x86_64 | |
@@ -60,6 +62,7 @@ fedora-27-primary: i386 x86_64 armhfp aarch64 ppc64 ppc64le s390x | |
fedora-28-primary: i386 x86_64 armhfp aarch64 ppc64 ppc64le s390x | |
fedora-29-primary: i386 x86_64 armhfp aarch64 ppc64 ppc64le s390x | |
+fedora-modularity: | |
fedora-30-primary: i386 x86_64 armhfp aarch64 ppc64le s390x | |
@@ -76,7 +79,3 @@ fedora-34-primary: i386 x86_64 armhfp aarch64 ppc64le s390x | |
fedora-35-primary: x86_64 armhfp aarch64 ppc64le s390x | |
fedora-36-primary: x86_64 armhfp aarch64 ppc64le s390x | |
- | |
-fedora-rawhide-primary: x86_64 armhfp aarch64 ppc64le s390x | |
- | |
-fedora-eln-primary: i386 x86_64 aarch64 ppc64le s390x | |
diff --git a/fedora-repos.spec b/fedora-repos.spec | |
index 12f2597..2a89673 100644 | |
--- a/fedora-repos.spec | |
+++ b/fedora-repos.spec | |
@@ -3,7 +3,7 @@ | |
Summary: Fedora package repositories | |
Name: fedora-repos | |
Version: 35 | |
-Release: 0.10%{?eln:.eln%{eln}} | |
+Release: 0.11%{?eln:.eln%{eln}} | |
License: MIT | |
URL: https://fedoraproject.org/ | |
@@ -170,9 +170,14 @@ pushd $RPM_BUILD_ROOT/etc/pki/rpm-gpg/ | |
ln -s RPM-GPG-KEY-fedora-%{rawhide_release}-primary RPM-GPG-KEY-fedora-rawhide-primary | |
ln -s RPM-GPG-KEY-fedora-%{rawhide_release}-primary RPM-GPG-KEY-fedora-eln-primary | |
for keyfile in RPM-GPG-KEY*; do | |
- key=${keyfile#RPM-GPG-KEY-} # e.g. 'fedora-20-primary' | |
- arches=$(sed -ne "s/^${key}://p" %{_sourcedir}/archmap) \ | |
- || echo "WARNING: no archmap entry for $key" | |
+ # resolve symlinks, so that we don't need to keep duplicate entries in archmap | |
+ real_keyfile=$(basename $(readlink -f $keyfile)) | |
+ key=${real_keyfile#RPM-GPG-KEY-} # e.g. 'fedora-20-primary' | |
+ if ! grep -q "^${key}:" %{_sourcedir}/archmap; then | |
+ echo "ERROR: no archmap entry for $key" | |
+ exit 1 | |
+ fi | |
+ arches=$(sed -ne "s/^${key}://p" %{_sourcedir}/archmap) | |
for arch in $arches; do | |
# replace last part with $arch (fedora-20-primary -> fedora-20-$arch) | |
ln -s $keyfile ${keyfile%%-*}-$arch # NOTE: RPM replaces %% with % | |
commit f0eb0bbf27553efc15b354502b0aefffc55452bb | |
Author: Kamil Páral <kparal@redhat.com> | |
Date: Fri Feb 12 12:35:11 2021 +0100 | |
support $releasever=rawhide on Rawhide | |
This commit is necessary to support a fedora-release change which makes | |
$releasever return "rawhide" on Rawhide (please read that commit first). | |
The most important change here is the introduction of the | |
`RPM-GPG-KEY-fedora-rawhide-primary` symlink to the current (numbered) Rawhide | |
key. This is necessary because $releasever resolves to "rawhide" now and | |
therefore the file must be present under the "rawhide" name. | |
There's an additional change present, which seemed related enough to include it | |
in the same commit - the Fedora 36 GPG key is added and it is referenced in | |
Rawhide repo files. The purpose is to have a reliable update process which | |
doesn't break just because users didn't update their system in a month (and | |
therefore missed the window during which gpg keys are changed). This problem | |
might be even more pronounced after this patch and therefore should be addressed | |
together. The fix also paves way for future simplification of fedora-repos (no | |
need for separate rawhide repo files, perhaps). | |
Additional checks have been added to reduce the likelihood of human errors when | |
Rawhide number is bumped. | |
Related: https://pagure.io/releng/issue/7445 | |
diff --git a/RPM-GPG-KEY-fedora-36-primary b/RPM-GPG-KEY-fedora-36-primary | |
new file mode 100644 | |
index 0000000..899affa | |
--- /dev/null | |
+++ b/RPM-GPG-KEY-fedora-36-primary | |
@@ -0,0 +1,29 @@ | |
+-----BEGIN PGP PUBLIC KEY BLOCK----- | |
+ | |
+mQINBGAcScoBEADLf8YHkezJ6adlMYw7aGGIlJalt8Jj2x/B2K+hIfIuxGtpVj7e | |
+LRgDU76jaT5pVD5mFMJ3pkeneR/cTmqqQkNyQshX2oQXwEzUSb1CNMCfCGgkX8Q2 | |
+zZkrIcCrF0Q2wrKblaudhU+iVanADsm18YEqsb5AU37dtUrM3QYdWg9R+XiPfV8R | |
+KBjT03vVBOdMSsY39LaCn6Ip1Ovp8IEo/IeEVY1qmCOPAaK0bJH3ufg4Cueks+TS | |
+wQWTeCLxuZL6OMXoOPKwvMQfxbg1XD8vuZ0Ktj/cNH2xau0xmsAu9HJpekvOPRxl | |
+yqtjyZfroVieFypwZgvQwtnnM8/gSEu/JVTrY052mEUT7Ccb74kcHFTFfMklnkG/ | |
+0fU4ARa504H3xj0ktbe3vKcPXoPOuKBVsHSv00UGYAyPeuy+87cU/YEhM7k3SVKj | |
+6eIZgyiMO0wl1YGDRKculwks9A+ulkg1oTb4s3zmZvP07GoTxW42jaK5WS+NhZee | |
+860XoVhbc1KpS+jfZojsrEtZ8PbUZ+YvF8RprdWArjHbJk2JpRKAxThxsQAsBhG1 | |
+0Lux2WaMB0g2I5PcMdJ/cqjo08ccrjBXuixWri5iu9MXp8qT/fSzNmsdIgn8/qZK | |
+i8Qulfu77uqhW/wt2btnitgRsqjhxMujYU4Zb4hktF8hKU/XX742qhL5KwARAQAB | |
+tDFGZWRvcmEgKDM1KSA8ZmVkb3JhLTM1LXByaW1hcnlAZmVkb3JhcHJvamVjdC5v | |
+cmc+iQJOBBMBCAA4FiEEeH6mrhFH7uVsQLMM20Y5cZhnxY8FAmAcScoCGw8FCwkI | |
+BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ20Y5cZhnxY+NYA/7BYpglySAZYHhjyKh | |
+/+f6zPfVvbH20Eq3kI7OFBN0nLX+BU1muvS+qTuS3WLrB3m3GultpKREJKLtm5ED | |
+1rGzXAoT1yp9YI8LADdMCCOyjAjsoWU87YUuC+/bnjrTeR2LROCfyPC76W985iOV | |
+m5S+bsQDw7C2LrldAM4MDuoyZ1SitGaZ4KQLVt+TEa14isYSGCjzo7PY8V3JOk50 | |
+gqWg82N/bm2EzS7T83WEDb1lvj4IlvxgIqKeg11zXYxmrYSZJJCfvzf+lNS6uxgH | |
+jx/J0ylZ2LibGr6GAAyO9UWrAZSwSM0EcjT8wECnxkSDuyqmWwVvNBXuEIV8Oe3Y | |
+MiU1fJN8sd7DpsFx5M+XdnMnQS+HrjTPKD3mWrlAdnEThdYV8jZkpWhDys3/99eO | |
+hk0rLny0jNwkauf/iU8Oc6XvMkjLRMJg5U9VKyJuWWtzwXnjMN5WRFBqK4sZomMM | |
+ftbTH1+5ybRW/A3vBbaxRW2t7UzNjczekSZEiaLN9L/HcJCIR1QF8682DdAlEF9d | |
+k2gQiYSQAaaJ0JJAzHvRkRJLLgK2YQYiHNVy2t3JyFfsram5wSCWOfhPeIyLBTZJ | |
+vrpNlPbefsT957Tf2BNIugzZrC5VxDSKkZgRh1VGvSIQnCyzkQy6EU2qPpiW59G/ | |
+hPIXZrKocK3KLS9/izJQTRltjMA= | |
+=PfT7 | |
+-----END PGP PUBLIC KEY BLOCK----- | |
diff --git a/archmap b/archmap | |
index e80ecbd..e4793c4 100644 | |
--- a/archmap | |
+++ b/archmap | |
@@ -75,4 +75,8 @@ fedora-34-primary: i386 x86_64 armhfp aarch64 ppc64le s390x | |
fedora-35-primary: x86_64 armhfp aarch64 ppc64le s390x | |
+fedora-36-primary: x86_64 armhfp aarch64 ppc64le s390x | |
+ | |
+fedora-rawhide-primary: x86_64 armhfp aarch64 ppc64le s390x | |
+ | |
fedora-eln-primary: i386 x86_64 aarch64 ppc64le s390x | |
diff --git a/fedora-repos.spec b/fedora-repos.spec | |
index c1c7f4e..12f2597 100644 | |
--- a/fedora-repos.spec | |
+++ b/fedora-repos.spec | |
@@ -3,7 +3,7 @@ | |
Summary: Fedora package repositories | |
Name: fedora-repos | |
Version: 35 | |
-Release: 0.1%{?eln:.eln%{eln}} | |
+Release: 0.10%{?eln:.eln%{eln}} | |
License: MIT | |
URL: https://fedoraproject.org/ | |
@@ -72,6 +72,10 @@ Source52: RPM-GPG-KEY-fedora-32-primary | |
Source53: RPM-GPG-KEY-fedora-33-primary | |
Source54: RPM-GPG-KEY-fedora-34-primary | |
Source55: RPM-GPG-KEY-fedora-35-primary | |
+Source56: RPM-GPG-KEY-fedora-36-primary | |
+# When bumping Rawhide to fN, create N+1 key (and update archmap). (This | |
+# ensures users have the next future key installed and referenced, even if they | |
+# don't update very often. This will smooth out Rawhide N->N+1 transition for them). | |
Source100: fedora-modular.repo | |
Source101: fedora-updates-modular.repo | |
@@ -162,7 +166,8 @@ install -m 644 %{_sourcedir}/RPM-GPG-KEY* $RPM_BUILD_ROOT/etc/pki/rpm-gpg/ | |
# says "fedora-19-primary: i386 x86_64", | |
# RPM-GPG-KEY-fedora-19-{i386,x86_64} will be symlinked to that key. | |
pushd $RPM_BUILD_ROOT/etc/pki/rpm-gpg/ | |
-# Also add a symlink for ELN keys | |
+# Also add a symlink for Rawhide and ELN keys | |
+ln -s RPM-GPG-KEY-fedora-%{rawhide_release}-primary RPM-GPG-KEY-fedora-rawhide-primary | |
ln -s RPM-GPG-KEY-fedora-%{rawhide_release}-primary RPM-GPG-KEY-fedora-eln-primary | |
for keyfile in RPM-GPG-KEY*; do | |
key=${keyfile#RPM-GPG-KEY-} # e.g. 'fedora-20-primary' | |
@@ -177,6 +182,17 @@ done | |
ln -s RPM-GPG-KEY-fedora-%{version}-primary RPM-GPG-KEY-%{version}-fedora | |
popd | |
+# Adjust Rawhide repo files to include Rawhide+1 GPG key. | |
+# This is necessary for the period when Rawhide gets bumped to N+1 and packages | |
+# start to be signed with a newer key. Without having the key specified in the | |
+# repo file, the system would consider the new packages as untrusted. | |
+rawhide_next=$((%{rawhide_release}+1)) | |
+for repo in %{_sourcedir}/fedora-rawhide*.repo; do | |
+ sed -ir "s@^gpgkey=.*@& file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-${rawhide_next}-\$basearch@" \ | |
+ $repo || exit 1 | |
+done | |
+ | |
+# Install repo files | |
install -d -m 755 $RPM_BUILD_ROOT/etc/yum.repos.d | |
for file in %{_sourcedir}/fedora*repo ; do | |
install -m 644 $file $RPM_BUILD_ROOT/etc/yum.repos.d | |
@@ -198,6 +214,28 @@ for repo in $RPM_BUILD_ROOT/etc/yum.repos.d/fedora-{rawhide,eln}*.repo; do | |
%endif | |
done | |
+# make sure the Rawhide+1 key wasn't forgotten to be created | |
+rawhide_next=$((%{rawhide_release}+1)) | |
+if ! test -f $RPM_BUILD_ROOT/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-${rawhide_next}-primary; then | |
+ echo "ERROR: GPG key for Fedora ${rawhide_next} is not present" | |
+ exit 1 | |
+fi | |
+ | |
+# make sure the Rawhide+1 key is present in Rawhide repo files | |
+for repo in $RPM_BUILD_ROOT/etc/yum.repos.d/fedora-rawhide*.repo; do | |
+ gpg_lines=$(grep '^gpgkey=' $repo) | |
+ if test -z "$gpg_lines"; then | |
+ echo "ERROR: No gpgkey= lines in $repo" | |
+ exit 1 | |
+ fi | |
+ while IFS= read -r line; do | |
+ if ! echo "$line" | grep -q "RPM-GPG-KEY-fedora-${rawhide_next}"; then | |
+ echo "ERROR: Fedora ${rawhide_next} GPG key missing in $repo" | |
+ exit 1 | |
+ fi | |
+ done <<< "$gpg_lines" | |
+done | |
+ | |
%files | |
%dir /etc/yum.repos.d |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment