Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

updates: add barrier releases as part of f33 bump SOP #201

Merged
merged 1 commit into from
Oct 2, 2020

Conversation

dustymabe
Copy link
Member

As part of the procedure to move to the next major Fedora release
we are adding a barrier for the last release of Fedora CoreOS based
on Fedora 31 content. This is a guarantee that systems have the
appropriate keys to validate the commits signed by the latest builds.

Note: there were no F31 releases on the next stream so skip adding
the barrier release there.

See:

As part of the procedure to move to the next major Fedora release
we are adding a barrier for the last release of Fedora CoreOS based
on Fedora 31 content. This is a guarantee that systems have the
appropriate keys to validate the commits signed by the latest builds.

Note: there were no F31 releases on the `next` stream so skip adding
      the barrier release there.

See:

- coreos/fedora-coreos-tracker#480 (comment)
- https://github.com/coreos/fedora-coreos-config#moving-to-a-new-major-version-n-of-fedora
@dustymabe
Copy link
Member Author

tagging in @jlebon @bgilbert and @lucab to sanity check me here.

Copy link
Member

@jlebon jlebon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense to me!

"version": "31.20200517.3.0",
"metadata": {
"barrier": {
"reason": "https://github.com/coreos/fedora-coreos-tracker/issues/480#issuecomment-631724629"
Copy link
Contributor

@lucab lucab Oct 2, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Going on, do we want to have an explicit ticket or discourse entry to explain what is the effect of this specific kind of barriers? That is, something easier to read for users and explaining that there signing keys embedded in the OS that needs to be rotated/refreshed.

Copy link
Member Author

@dustymabe dustymabe Oct 2, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah I was thinking it would be nice to have that. Would you mind creating that (maybe a FAQ entry) and I can update this PR?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I can, but I didn't want block this PR on that, we can always retroactively update the URL.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good! I'll update the URL when that's ready. Thanks for offering to do that!

@dustymabe dustymabe merged commit 106c8f6 into coreos:master Oct 2, 2020
@dustymabe dustymabe deleted the dusty-barrier-releases-f33-bump branch October 2, 2020 13:44
@lucab
Copy link
Contributor

lucab commented Oct 5, 2020

I was trying to write a doc-page with an example based on this, and I ended up being confused by what I see.

Taking the stable stream as an example, 31.20200517.3.0 is the last version based on F31 and this PR just introduced a barrier on it, as we are starting to rebase on F33. However this image does not seem to contain the public signing key for F33:

[core@localhost ~]$ grep OSTREE /etc/os-release 
OSTREE_VERSION='31.20200517.3.0'

[core@localhost ~]$ ls -v /usr/etc/pki/rpm-gpg/*primary | tail -3
/usr/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-30-primary
/usr/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-31-primary
/usr/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-32-primary

@jlebong @dustymabe did I misunderstand something?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants