Greetings everyone. Fedora Release engineering was made aware recently that some real builds seemed to have been done from commits not in any branch in the main repository for the package. All cases we are currently aware of were maintainers mistakenly building from a forked repo with a valid pull request.
On investigation, this was found to be due to some changes in how koji does the buildSRPMFromSCM task and us being unaware of the implications of that change. In short, when a pull request is created, pagure keeps track of those commits in refs/pulls. Previously koji did a 'git reset' to the exact commit, which would only work for commits on a branch. The new method with 'git fetch' will follow refs and find the pull request commit. Upstream koji developers have created a plugin for us to check policy after the checkout and require official builds to be from a commit that is in a branch. This plugin has been deployed and is active. Sorry for any confusion this issue may have caused. kevin
signature.asc
Description: PGP signature
_______________________________________________ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
