On 06/05/2015 11:29 AM, Mike Bonnet wrote:
On 06/05/2015 11:07 AM, Matthew Miller wrote:
On Fri, Jun 05, 2015 at 05:05:06PM +0200, Pavol Babincak wrote:
just has "HEAD", which is less useful since that moves. I see that it's
>from a chainbuild, but when I look at the list of chainbuilds, I see
that most of those appear to use specific commits too. What's
special/weird about this one?
Koji shows it in a way how the task was submitted. In this case
giturl was constructed with HEAD as git reference.
I guess that's obvious in retrospect. :) How does that happen? Is it
_supposed_ to happen? Can we stop it? Should we?
We can't stop it currently, but we should probably be able to write
policy to prevent it, at least for non-scratch builds.
For a first pass, you could put something like the following in your tag
policy:
source git://*#HEAD :: deny use the actual ref please
This blocks at tag time rather than build time (after build is
complete). Unfortunately we don't have a policy hook for builds in general.
You could get a little fancier than this, but there are limits to glob
patterns. A determined user could easily get around this if they wanted
by using a different non-sha1 ref, but this might help remind folks to
do the right thing.
Going further, you could write a hub plugin to provide a more
complicated check that you could reference in policy.
--
buildsys mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/buildsys
