open-build-service merge requestshttps://gitlab.collabora.com/obs/open-build-service/-/merge_requests2024-03-08T18:42:42Zhttps://gitlab.collabora.com/obs/open-build-service/-/merge_requests/72aptly: Add new repository configuration format2024-03-08T18:42:42ZAndrej Shaduraandrew.shadura@collabora.co.ukaptly: Add new repository configuration formatThe new configuration format splits aptly repositories and OBS projects
into two separate hashmaps, while still allowing to override settings
on per-project level:
my $apertis_aptly_server = {
"url" => "https://...",
"to...The new configuration format splits aptly repositories and OBS projects
into two separate hashmaps, while still allowing to override settings
on per-project level:
my $apertis_aptly_server = {
"url" => "https://...",
"token" => "...",
};
our $aptly_targets = {
"apertis" => {
"server" => $apertis_aptly_server
"gpg-key" => $aptly_gpgkey,
"prefix" => "apertis",
}
};
our $aptly_projects = {
"apertis:v2025:target" => {
"default" => {
"target" => "apertis",
"distribution" => "v2025",
"component" => "target",
}
},
"apertis:v2025:development" => {
"default" => {
"target" => "apertis",
"distribution" => "v2025",
"component" => "development",
}
},
"apertis:v2025:sdk" => {
"default" => {
"target" => "apertis",
"distribution" => "v2025",
"gpg-key" => "...",
"component" => "sdk",
},
"rebuild" => {
"distribution" => "v2025",
"component" => "sdk",
"gpg-key" => "...",
"prefix" => "apertis",
"aptly-server" => {
"url" => "https://rebuilds.apertis.org",
"token" => "tokentoken",
},
},
},
"apertis:v2025:foo" => {
"default" => {
"distribution" => "v2025",
"component" => "sdk",
"prefix" => "foo",
"gpg-key" => "...",
"aptly-server" => {
"url" => "https://aptly.example.org/debian",
"token" => "toktok",
},
}
},
};
The old-style configuration is still accepted for the time being,
subject to be removed in future.https://gitlab.collabora.com/obs/open-build-service/-/merge_requests/73Always include annotations in the Deployment object2024-02-14T09:52:18ZPablo Vigo MasAlways include annotations in the Deployment objectChecksum in annotations ensures that the pod restart when an object is
updated. Previosuly, checksums were not included when there were no other
annotations on the object, so they had no effect.
Instead, always include annotations with a...Checksum in annotations ensures that the pod restart when an object is
updated. Previosuly, checksums were not included when there were no other
annotations on the object, so they had no effect.
Instead, always include annotations with at least the checksums, so they
are be used regardless.
Signed-off-by: Pablo Vigo <pvigo@collabora.com>https://gitlab.collabora.com/obs/open-build-service/-/merge_requests/70Ensure Pod Restarts upon Object Update.2023-12-21T15:47:25ZPablo Vigo MasEnsure Pod Restarts upon Object Update.Ensure Pod restarts automatically whenever Secret object is updated.
A hash of the object is now included in Deployment.
Signed-off-by: Pablo Vigo <pvigo@collabora.com>Ensure Pod restarts automatically whenever Secret object is updated.
A hash of the object is now included in Deployment.
Signed-off-by: Pablo Vigo <pvigo@collabora.com>https://gitlab.collabora.com/obs/open-build-service/-/merge_requests/69production: Enable zstd support2023-10-06T12:43:22ZAndrej Shaduraandrew.shadura@collabora.co.ukproduction: Enable zstd supportUpdate libsolv and obs-build to enable zstd.Update libsolv and obs-build to enable zstd.https://gitlab.collabora.com/obs/open-build-service/-/merge_requests/68Bump libsolv to enable zstd support2023-10-05T13:16:24ZAndrej Shaduraandrew.shadura@collabora.co.ukBump libsolv to enable zstd supportIncluded in libsolv 0.7.25-1ccu1.Included in libsolv 0.7.25-1ccu1.https://gitlab.collabora.com/obs/open-build-service/-/merge_requests/67Merge allowbuilddep and aptly into production2023-09-01T09:14:48ZAndrej Shaduraandrew.shadura@collabora.co.ukMerge allowbuilddep and aptly into production#### Changes included
* aptly: Rename aptly_server option to aptly-server
* Build docker images on standard runners
* backend: Update aptly-rest-tools to v0.0.4
* aptly: Fix incorrect architecture values
* aptly: Perform operations ...#### Changes included
* aptly: Rename aptly_server option to aptly-server
* Build docker images on standard runners
* backend: Update aptly-rest-tools to v0.0.4
* aptly: Fix incorrect architecture values
* aptly: Perform operations via aptly-rest-tools
* backend: Install aptly-rest-tools
* Re-enable and extend debug prints
* tests: Add a test for allowbuilddep name="*"
* tests: Make sure create-user can be called multiple times in a row
* Add support for global allowbuilddep
* tests: Dump the last scheduler logs bits
* tests: Verify that allowbuilddep does not apply transitively
* tests: Split wait-for-pkg-state out of wait-for-pkg
* tests: Verify allowbuilddep functionality works
* tests: Add a script to create a user
* tests: Enable debug logging on the frontend
* tests: Rewrite create-project in Python
#### Merge requests included
* !61
* !62
* !64
* !63
* !65https://gitlab.collabora.com/obs/open-build-service/-/merge_requests/65backend: Update aptly-rest-tools to v0.0.42023-09-01T07:53:56ZRyan Gonzalezbackend: Update aptly-rest-tools to v0.0.4This includes needed changes to debian-packaging to fix inaccuracies in
version comparisons.
Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>This includes needed changes to debian-packaging to fix inaccuracies in
version comparisons.
Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>https://gitlab.collabora.com/obs/open-build-service/-/merge_requests/63aptly: Fix incorrect architecture values2023-09-01T07:53:55ZRyan Gonzalezaptly: Fix incorrect architecture values--architectures (which was the wrong option name in the first place) is
supposed to be passed multiple times. Passing a comma-separated arch
list instead ends up generating nonsensical architecture names.
Signed-off-by: Ryan Gonzalez <r...--architectures (which was the wrong option name in the first place) is
supposed to be passed multiple times. Passing a comma-separated arch
list instead ends up generating nonsensical architecture names.
Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>
<hr>
<strike>Draft because this depends on https://github.com/collabora/aptly-rest-tools/pull/10.</strike> now readyhttps://gitlab.collabora.com/obs/open-build-service/-/merge_requests/64Re-enable and extend debug prints2023-09-01T07:53:55ZAndrej Shaduraandrew.shadura@collabora.co.ukRe-enable and extend debug printsThese were nicely commented out in the upstream code, but very useful
when debugging issues like randomly restarting builds.These were nicely commented out in the upstream code, but very useful
when debugging issues like randomly restarting builds.https://gitlab.collabora.com/obs/open-build-service/-/merge_requests/62Add allowbuilddep name="*"2023-09-01T07:53:55ZAndrej Shaduraandrew.shadura@collabora.co.ukAdd allowbuilddep name="*"`<allowbuilddep name="*" />` allows any project depend on binaries
produced by this project.
This addresses the licensing constraints imposed for packages like
the commercial Qt distribution, where sources must not be redistributed
but ...`<allowbuilddep name="*" />` allows any project depend on binaries
produced by this project.
This addresses the licensing constraints imposed for packages like
the commercial Qt distribution, where sources must not be redistributed
but the resulting binaries are not subject to any restrictions.
Currently, only "`*`" is supported as a pattern, anything else is
to be implemented in the event of sufficient demand.https://gitlab.collabora.com/obs/open-build-service/-/merge_requests/61Add a test to verify allowbuilddep functionality works2023-09-01T07:53:55ZAndrej Shaduraandrew.shadura@collabora.co.ukAdd a test to verify allowbuilddep functionality works1. Create two extra non-admin users
2. Create a private project for the first user, and a public one
for the other user.
3. Set allowbuilddep to let the second user use binaries from the
hidden project by the first user.
4. Build a...1. Create two extra non-admin users
2. Create a private project for the first user, and a public one
for the other user.
3. Set allowbuilddep to let the second user use binaries from the
hidden project by the first user.
4. Build a package in a hidden project.
5. Build a package build-depending on that one, in the public project.Emanuele Ainaemanuele.aina@collabora.comEmanuele Ainaemanuele.aina@collabora.comhttps://gitlab.collabora.com/obs/open-build-service/-/merge_requests/66Merge aptly feature branch into staging2023-08-31T09:14:01ZSjoerd SimonsMerge aptly feature branch into staginghttps://gitlab.collabora.com/obs/open-build-service/-/merge_requests/48Use UPN to look up users, don’t give a choice of username2023-07-03T13:33:27ZAndrej Shaduraandrew.shadura@collabora.co.ukUse UPN to look up users, don’t give a choice of usernameUse username and nickname fields to retrieve the username,
since some backends use username (e.g. GitLab), while others use
nickname (OIDC).
~~This merge request doesn’t drop extra templates previously implemented in b964a418; they’re n...Use username and nickname fields to retrieve the username,
since some backends use username (e.g. GitLab), while others use
nickname (OIDC).
~~This merge request doesn’t drop extra templates previously implemented in b964a418; they’re not used anymore, but they’re harmless.~~
See https://phabricator.apertis.org/T9495https://gitlab.collabora.com/obs/open-build-service/-/merge_requests/55Publish .orig-$component.tar.*.asc files as well2023-07-03T13:33:25ZEmanuele Ainaemanuele.aina@collabora.comPublish .orig-$component.tar.*.asc files as wellThe `freetype` Debian package uses multi-component orig tarballs, and
also includes PGP signatures for them:
freetype_2.10.4+dfsg-1+deb11u1+apertis0.debian.tar.xz
freetype_2.10.4+dfsg-1+deb11u1+apertis0.dsc
freetype_2.10.4+d...The `freetype` Debian package uses multi-component orig tarballs, and
also includes PGP signatures for them:
freetype_2.10.4+dfsg-1+deb11u1+apertis0.debian.tar.xz
freetype_2.10.4+dfsg-1+deb11u1+apertis0.dsc
freetype_2.10.4+dfsg.orig-ft2demos.tar.xz
freetype_2.10.4+dfsg.orig-ft2demos.tar.xz.asc
freetype_2.10.4+dfsg.orig-ft2docs.tar.xz
freetype_2.10.4+dfsg.orig-ft2docs.tar.xz.asc
freetype_2.10.4+dfsg.orig.tar.xz
However, at publishing time OBS was ignoring these
`.orig-$component.tar.*.asc` files, causing the archive manager
(reprepro or aptly) to fail since it was not getting some of the files
listed in the `.dsc`.https://gitlab.collabora.com/obs/open-build-service/-/merge_requests/60Move 2.10.21 to production2023-06-28T13:23:42ZAndrej Shaduraandrew.shadura@collabora.co.ukMove 2.10.21 to productionSee !59See !59https://gitlab.collabora.com/obs/open-build-service/-/merge_requests/59Merge latest upstream updates from 2.10 branch2023-06-28T13:23:42ZAndrej Shaduraandrew.shadura@collabora.co.ukMerge latest upstream updates from 2.10 branchMerge in all updates up to 2.10.21.
This MR also updates some Gems extremely conservatively, mostly those related to OmniAuth. A separate task should be created for a more complete update, including updating to a newer OmniAuth version ...Merge in all updates up to 2.10.21.
This MR also updates some Gems extremely conservatively, mostly those related to OmniAuth. A separate task should be created for a more complete update, including updating to a newer OmniAuth version (which can break things).
Unlike the upstream, we don’t want to rely on Gems checked into Git, as
we extend their set of dependencies, and it’s tricky to tell Bundler to
download extra dependencies and not just fail. To make sure Gems aren’t
vendored, add an extra sanity check stage.https://gitlab.collabora.com/obs/open-build-service/-/merge_requests/53Use aptly-rest-tools2023-06-23T15:16:29ZRyan GonzalezUse aptly-rest-toolshttps://phabricator.apertis.org/T9436
Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>
<hr>
<strike>Draft because this should use a specific tag/commit of the main repo & needs to have the reprepro migration tests run.</strike>https://phabricator.apertis.org/T9436
Signed-off-by: Ryan Gonzalez <ryan.gonzalez@collabora.com>
<hr>
<strike>Draft because this should use a specific tag/commit of the main repo & needs to have the reprepro migration tests run.</strike>https://gitlab.collabora.com/obs/open-build-service/-/merge_requests/58Move "Publish .orig-$component.tar.*.asc files as well" to production2023-06-20T08:29:55ZAndrej Shaduraandrew.shadura@collabora.co.ukMove "Publish .orig-$component.tar.*.asc files as well" to production!55 will be deployed to production.!55 will be deployed to production.https://gitlab.collabora.com/obs/open-build-service/-/merge_requests/57Test publishing multitarballs with signatures2023-06-12T13:00:31ZAndrej Shaduraandrew.shadura@collabora.co.ukTest publishing multitarballs with signaturesVerify that packages with multiple tarballs are handled correctly:
their component tarballs should be published, as well as their
signatures.
Before !55 is merged, the last step of test failed, as can be seen here: https://gitlab.collab...Verify that packages with multiple tarballs are handled correctly:
their component tarballs should be published, as well as their
signatures.
Before !55 is merged, the last step of test failed, as can be seen here: https://gitlab.collabora.com/obs/open-build-service/-/jobs/241352
For this, artificially extend the dash package with an empty component
tarball called "vendor", with fake unverifiable signature files only
containing the word "signature".
Instead of editing the `.dsc` file to include those, unpack the source
package and generate it again, allowing `dpkg-buildpackage` to pick up
the new component tarball.https://gitlab.collabora.com/obs/open-build-service/-/merge_requests/56Fix XXE vulnerability by upgrading Xmlhash to 1.3.82023-06-08T13:03:03ZAndrej Shaduraandrew.shadura@collabora.co.ukFix XXE vulnerability by upgrading Xmlhash to 1.3.8Xmlhash 1.3.7 and below incorrectly disabled entity expansion by instead
forcing them to be expanded (since libxml misleadingly named the option
forcing entity expansion `NOENT`). This could be used to force OBS to
connect to external ho...Xmlhash 1.3.7 and below incorrectly disabled entity expansion by instead
forcing them to be expanded (since libxml misleadingly named the option
forcing entity expansion `NOENT`). This could be used to force OBS to
connect to external hosts by sending a specially crafted XML file.
See:
* https://github.com/coolo/xmlhash/commit/544e614e2674ad26b97a234baa013723c829b751
* https://stackoverflow.com/questions/38807506/what-does-libxml-noent-do-and-why-isnt-it-called-libxml-ent