Make coprdirs have their repo available in the buildroot #3369
Conversation
|
This would bring security issue into the We need to solve the s.f.o integration first, somehow. |
Pull Request validationFailed🔴 Review - Missing review from a member (2 required) Success🟢 CI - All checks have passed |
FrostyX
force-pushed
the
coprdir-buildroot-repo
branch
from
ff65588 to
df12563
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
FrostyX
force-pushed
the
coprdir-buildroot-repo
branch
from
df12563 to
764cf2d
Compare
Alternatively, we could separate then through `event_info.user` which would produce CoprDir names like `foocopr:pr:jdoe-1`. This wouldn't separate the different packages but it would be good enough to fix the security issue. And it would produce shorter names than the project URL paths.
This is useful in general but especially for pull requests that build multiple packages which depend on each other (e.g. `python-copr` and `copr-cli`). Up until now, it had to be workarounded by building the dependency into the main copr repository.
FrostyX
force-pushed
the
coprdir-buildroot-repo
branch
from
764cf2d to
a14af3f
Compare
|
Took me only half a year but updated, PTAL. |
| # And this is the package that builds on top of it (e.g. copr-cli) | ||
| rlRun "curl https://src.fedoraproject.org/rpms/hello/raw/rawhide/f/hello.spec > $tmp/hello-2.spec" | ||
| rlRun "sed -i '1s/^/BuildRequires: hello >= 6:\n/' $tmp/hello-2.spec" | ||
| rlRun "copr-cli build $PROJECT:custom:foo $tmp/hello-2.spec" |
There was a problem hiding this comment.
this needs update; you can use --after-build-id to order properly, and then we need to wait for the build result
There was a problem hiding this comment.
I wrote this test a long time ago, so I don't remember my thought process. But there is no --nowait for the first build, so the second one should be submitted only after the first one is finished. Using build batches should make no difference, no?
There was a problem hiding this comment.
Waiting is necessary IMVHO, otherwise we are not testing anything :-/
And then, batches allow you to wait for just one of them (because the second one doesn't start untill the first one is finished).
| @@ -692,8 +694,7 @@ def validate(cls, copr, dirname): | |||
| f"Please use directory format {copr.name}:custom:<SUFFIX_OF_CHOICE> " | |||
| f"or {copr.name}:pr:<ID> (for automatically removed directories)" | |||
| ) | |||
|
|
|||
| if not all(x.isalnum() for x in dirname.split(":")[1:]): | |||
| if not all(x.isalnum() for x in re.split(r"[:-]+", dirname)[1:]): | |||
There was a problem hiding this comment.
this deserves an in-line note :-) I'm not sure this is correct
We basically only want to allow one more :-separated field, right? I'd wish we had a test-case for the validation.
There was a problem hiding this comment.
Then, I'm a bit scare of creating custom dirnames, because we don't have a method for deleting them.
Then, note #820 -> will that still work & remove PR dirs after certain period of time?
This is useful in general but especially for pull requests that build multiple packages which depend on each other (e.g.
python-coprandcopr-cli). Up until now, it had to be workarounded by building the dependency into the main copr repository.