Okay, F44 was just branched, time to move on with this finally.
I'm planning to flick the switch next Monday, Feb 16th, infrastructure
and life permitting. And, be prepared to flick it back and forth a few
times in the face of unforeseen complications.
To the extent I've been able to test, the core build toolchain - mock,
copr and koji are fine with this change. As should be anything that uses
dnf to install and disables signature checks for repos that don't have
them. But who knows what all is out there lurking in the CI and so on,
no doubt there will be changes required to various machineries.
If you run into a showstopper wrt this, file a bug and we'll see what we
can do about it. And revert temporarily if needed.
- Panu -
On 1/15/26 11:48 AM, Panu Matilainen wrote:
...and now that we'd be ready to go ahead, the mass rebuild is just
about to start, and we sure don't want to mess with THAT.
And right after the rebuild F44 is branched, so I think it's time to
face the music and acknowledge that we missed the window for F44, and
postpone this change to F45.
Right after F44 is branches is really the ideal time to introduce a this
type of change into rawhide anyway, because then we really have the full
cycle to deal with any fallout.
- Panu -
On 12/9/25 3:45 PM, Panu Matilainen wrote:
Hey all,
I was originally hoping to flick the switch as soon as
https://fedoraproject.org/wiki/Changes/
Enforcing_signature_checking_by_default got accepted, but in my test-
builds, an unexpected setback appeared.
That setback is now resolved (a silly one-liner cmake issue causing a
miscompilation), but it's now also getting quite close to the X-mas
break. Apparently a lot of folks will be heading off next week
already, and then I myself will be unavailable for more than two
weeks. This just doesn't seem like a good time to do a potentially
disruptive change. So, instead of creating unnecessary stress just
before X-mas, lets just push this to 2026. The plan is now to flick
signature enforcing mode on in RPM on week 3 of 2026, Jan 13th most
likely.
For those wanting to test it in advance, f44-build-side-123720 side-
tag has an RPM with the enforcing mode enabled. There's no intention
to merge this side-tag, it's purely for testing purposes so feel free
to test builds if needed and so on. I've built one package (popt)
there to verify that building in koji works with the enforcing mode
enabled. It does, and Fedora CI passes for the change itself, so at
least basic operation of the buildsystem seems to work. For all the
things out there that I don't even know about, we'll see. If it uses
dnf with appropriately configured gpgcheck= entries on repos, it
should continue to work without modifications.
- Panu -
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://forge.fedoraproject.org/infra/tickets/issues/new
