buildsys queue

[Dan Williams]

On Sat, 2006-11-25 at 11:42 +0100, Michael Schwendt wrote:
> On Fri, 24 Nov 2006 22:27:21 -0500, Dan Williams wrote:
> 
> > On Fri, 2006-11-24 at 20:10 +0100, Axel Thimm wrote:
> > > On Fri, Nov 24, 2006 at 08:05:52PM +0100, Axel Thimm wrote:
> > > > the queue seems to be 2+ days large, is that due to some hardware
> > > > issues mentioned some time ago? If not, could someone please sign/push
> > > > the packages? Thanks!
> > > 
> > > Forget it, I just saw that some packages have been pushed, I just
> > > misinterpreted the status on
> > > http://buildsys.fedoraproject.org/build-status/success.psp, I thought
> > > that if the packages are tagged as "needsign" then they still need to
> > > be signed and pushed to the repo.
> > > 
> > > Would it make sense to add a state of "signedandpushed" or similar?
> > 
> > That state exists, but nobody bothers to move then from 'needsign' to
> > 'finished'.  Technically the push scripts could do this, but they don't.
> 
> What is needed to get it done?
> 
> The push script does not interface with plague in any way yet, so it does
> not know anything about build job numbers. It could reconstruct the build
> job tag from the name/version directory entries in the needsign repo. Is
> that worth anything?

Well, you'll need job #s from the server.  Essentially, you could query
the server for all jobs in 'needsign' state (which means they are done
of course) and grab the package name and version, and then reconstruct
the path to each package's finished RPM directory, and then do whatever
the script normally does.  If the script is successful for that package,
it tells the build server to mark the job as 'finished'.  The 'finished'
calls can be batched up for speed (up to a certain request length
dictated by SQL request length sizes).

> A quick grep on the plague server code returns:
> 
>      # Marking 'needsign' jobs as finished requires admin privs
> 
> Sounds like a first roadblock. What kind of "admin privs" would we need?

Whoever runs the push scripts will need their plague account marked with
admin privs.  The plague client will talk to the server using the
certificate in ~/.plague-client.cfg (the "user-cert" option in there),
or will use the certificate in whatever file is pointed to by the
PLAGUE_CLIENT_CONFIG environment variable.  Whatever user the cert is
for needs the admin privs.

In the end, I don't really think it's worth spending a lot of time on
this unless you're really interested.  Everything seems to be going fine
already, we've got 22,000+ jobs in needsign state and it's not a
problem :)  If somebody is really interested in the "correctness" of the
process, then they could implement this.  Otherwise I don't think
there's a burning need.

Dan