Puiterwijk (talk | contribs) No edit summary |
No edit summary |
||
| Line 25: | Line 25: | ||
A: This means you cloned with an old version of fedpkg. Do a fedpkg push (instead of git push) once after upgrading to fedpkg 1.34 or higher. Under no circumstances should you enter your FAS password in the CLI. | A: This means you cloned with an old version of fedpkg. Do a fedpkg push (instead of git push) once after upgrading to fedpkg 1.34 or higher. Under no circumstances should you enter your FAS password in the CLI. | ||
Q: I want to use normal 'git push', can I? | |||
A: No. You need to use fedpkg push as it handles getting you a token and/or using your existing token to authenticate you. | |||
Q: Can I do a push on a headless machine? | Q: Can I do a push on a headless machine? | ||
Revision as of 16:04, 20 September 2018
HTTPS commits to src.fedoraproject.org
Background
In the past, pkgs.fedoraproject.org was the host that maintainers used to upload package sources via https and push commits via ssh. All such commits via ssh required the user to be in the 'packager' group, because the host created actual accounts for each packager, then restricted them to commits. If a user was not in that group, they wouldn't be known to the acls and would be denied.
When we moved to src.fedoraproject.org with a pagure instance in front of it, this limitation was still in place, leading to users who aren't in the packagers group being able to fork packages, but being unable to push to their forks.
This limitation is now removed by using https pushes, which are available for all users who have permissions to commit to packages/modules/containers/tests or forks thereof.
How it works
fedpkg (starting with version 1.34) has the ability to fetch a OIDC token from src.fedoraproject.org and then use that token to push commits over https. You also need to make sure and have python-openidc-client => 0.6.0 installed)
You will need to do your git clone with -a (anonymous) for now, and will need to using a graphical session (so your browser can be used to get the token you need).
Future plans
Slowly over time we plan to transition all users to https pushing for commits and retire the ssh service. There will be a lot of notice for this and it will only happen after https pushing is well established and working.
FAQ
Q: On push, git asks for a username and password, what do I enter there?
A: This means you cloned with an old version of fedpkg. Do a fedpkg push (instead of git push) once after upgrading to fedpkg 1.34 or higher. Under no circumstances should you enter your FAS password in the CLI.
Q: I want to use normal 'git push', can I?
A: No. You need to use fedpkg push as it handles getting you a token and/or using your existing token to authenticate you.
Q: Can I do a push on a headless machine?
A: Not yet. Currently you need a graphical session with a browser (firefox, chrome, etc). This will likely change down the road.
Q: Can I still push via ssh?
A: If you are in the packager group you can still push via ssh for now. In time, we are planning to deprecate this.
Q: Can I get a token on one system and then copy it to another?
A: Yes, but make sure you move it rather than copying or you keep the files in sync, since the token will be automatically refreshed and stored on-disk.