Missing critical dependency, Koji

C. Scott Ananian cscott at laptop.org
Tue Aug 19 11:48:13 EDT 2008 

On Sun, Aug 17, 2008 at 8:27 PM, John Gilmore <gnu at toad.com> wrote:
>> Anyway, in the meantime, we have raw rpmbuild, mock (which needs to be
>> configured not to use Fedora's koji, but this is not so hard), our own
>> buildroot (probably hidden away somewhere on weka.laptop.org), and the
>> joyride dropbox system. In conclusion, we'll live.
>
> I got an impression that all we were using koji for was to pull in
> binaries of F9 packages that olpc had never modified.  If that's true,

That's not quite true.  We also have an 'olpc3' branch of the rpm
sources in koji, and many packages use it to manage their builds.  In
fact, perhaps all packages live in koji except those packages
maintained by the etoys folks and me.

That's not "upstream" sources, that's the "packaging" sources: the rpm
spec files and patches and such.  Still, that's a significant amount
of work (as we discovered the hard way with the F9 rebase.)

> we can quickly set up our own mirror by starting with an F9 binary
> install DVD (readily available from mirrors or BitTorrent; I'm serving it
> up myself on BT), and updating it with any packages revised in
> Fedora Updates (also available on mirrors).

Again, that doesn't include all the packages we've locally modified;
nor does it include F9 "updates", which we've been pulling in.

> until it is.  I also recommend getting enough control of our own build
> system that we have *saved* enough source and binary RPM's to fully
> reproduce every release we subsequently build.  (The ability to
> rebuild an identical release is key to retaining the ability to make a
> slightly evolved release that contains only well defined changes.)

We do this for stable builds; the problem was/is that we hadn't forked
a stable build from joyride yet as of the time of the koji outage.

> Currently I'm sure we don't have src.rpm's for everything we have in
> binary.  (If anybody knows where the olpc-licenses src.rpm is, we're
> actively looking for it so we can fix it!)

http://mock.laptop.org/gitweb/gitweb.cgi?p=repos;a=tree;f=SRPMS;h=ec5cc9c74ca05b64d66813bf08b8bb87dcbb540f;hb=HEAD

> BTW, the Fedora sysadmins are being mysterious about the "issues we
> discovered earlier this week" that caused them to take down Koji:
[...]
> It smells to me like an attack, perhaps designed to corrupt the master
> packages that large numbers of people are downloading in binary and
> installing without question :-(.

Putting my less-paranoid hat on, I'd say: almost certainly an attack,
but I'm guessing they are veeery carefully comparing all their
repositories and systems against backup before saying whether (or not)
their master packages or source repos were compromised.  The caution
seems justified: they should make they understand exactly what was
changed and why before making any statements about what was/was not
attacked/vulnerable/compromised.
 --scott

-- 
 ( http://cscott.net/ )

More information about the Devel mailing list