Freshmaker SOP

When a spec file changes on a particular dist-git branch, trigger rebuilds of all modules that declare dependencies on that rpm branch.

Consider the traditional workflow today. You make a patch to the f27 of your package, and you know you need to build that patch for f27, and then later submit an update for this single build. Packagers know what to do.

Consider the modular workflow. You make a patch to the 2.2 branch of your package, but now, which modules do you rebuild? Maybe you had one in mind that you wanted to fix, but are there others that you forgot about — that you don’t even know about? Kevin could maintain a module that pulls in my rpm branch and he never told me. Even if he did, I have to now maintain a list of modules that depend on my rpm, and request rebuilds of them everytime I patch my .spec file. This is unmanageable.

Freshmaker deals with this by watching the bus for dist-git fedmsg messages. When it sees a change on a branch, it looks up the list of modules that depend on that branch, and requests rebuilds of them in the MBS.

When a traditional rpm or modular rpm is shipped stable, this trigger rebuilds of all containers that ever included previous versions of this rpm.

This applies to both modular and non-modular contexts. Today, you build an rpm that fixes a CVE, but some other person maintains a container that includes your RPM. Maybe they never told you about this. Maybe they didn’t notice your CVE fix. Their container will remain outdated and vulnerable.. forever?

Freshmaker deals with this by watching the bus for dist-git messages about rpms being shipped to the stable updates repo. When they’re shipped, it looks up all containers that ever included pervious versions of the rpm in question, and it triggers rebuilds of them.

Waiting until the rpm ships to stable is necessary because the container build process doesn’t know about unshipped content. This is how containers are built manually today, and it is annoying. Which brings us to the more complicated…​

When a traditional rpm or modular rpm is signed, generate a repo containing it and rebuild all containers that ever included that rpm before. This is the better version of the slow flow, but is more complicated so we’re deferring it until after we’ve proved the first two cases out.

Freshmaker will do this by requesting an interim build repo from ODCS (the On Demand Compose Service). ODCS can be given the appropriate koji tag and will produce a repo of (pre-signed) rpms. Freshmaker will request a rebuild of the container and will pass the ODCS repo url in. This gives us an auditable trail of disposable repos.