Koji 1.27.0 Release notes

All changes can be found in the roadmap. Most important changes are listed here.

Migrating from Koji 1.26/1.26.1

For details on migrating see Migrating to Koji 1.27

Security Fixes


Client Changes

set-task-priority permission error fix

CLI confusingly reported “closed task” even in case when user was “just” missing the admin permission.

Honour –force-auth for anonymous commands

This option was not respected in some cases.

Propagate error in write-signed-copies

Due to speedup changes some errors could have been hidden. Now we’re catching them all and displaying properly in write-signed-copies command.

Be tolerant of stops/jumps kwargs in list-tag-inheritance

Older client can emit errors when used against a newer hub as it could use already deprecated options. We’re now more tolerant to these.

Dist-repo with write-signed-rpm option

New option for dist-repo –write-signed-rpms. As there could be garbage-collected signed copies, dist-repo can fail and these rpms must be manually reconstructed. This new option will allow user with sign permission to prepare required rpms to be ready for the distRepo task.

call –json default option set up to str

Bugfix for converting some datetime values to proper json when using call command.

Add option for UTC time in list-history

list-history now accepts --utc option which will display dates in UTC instead of local timezone.

API Changes

listBuilds/list-builds filtering via CG

API call listBuilds (and its CLI counterpart) now accepts cgID (--cg) option which adds another filter based on content generator type.

Deprecate taskReport

This call will be removed in the future.

queryRPMSigs accepts RPM ID, NVRA and dict

To be aligned with other calls, queryRPMSigs now accepts all rpm ID specifications (integer ID, NVRA string or NVRA dict)

Deprecate koji.listFaults

Another candidate for removal

Deprecated force option in groupReqListRemove call

And another one

getBuildType: ensure id exists in buildinfo dict

More robust handling of input (NVR dict is sufficient now)

Add strict option to listTagged, listTaggedRPMS, listTaggedArchives

For better differentiation between empty results for correct inputs and wrong inputs (non-existing tag, etc.) strict option was added to these calls.

Builder Changes

Import guestfs before dnf

Linking conflicts between json-parsing libraries used by guestfs and dnf led us to include a small hack. Now it should be again possible to build docker images via oz.

Better error messages for Task.lock()

Improved error logging related to multiple builders competing in task allocation.

Restart kojid and kojira services automatically

systemd services were updated to automatically restart on failure with one minute delay.

Retry get_next_release to avoid race condition

In rare cases there was still race condition with starting image/maven builds with same auto-incremented release. This should fix this behaviour completely.

System Changes

Honour taginfo option in policy_get_build_tags

Deleted buildtags can break some policies. As these are more frequent these days (via sidetag usage patterns) we have also hit this problem. It should be fixed now.

Fix scripts for koji pkg and drop utils from py2

Packaging fixes for regression. koji-utils are py3-only.

Create symlink before import

Windows builds were not properly handling importing builds back to hub if volume policy put the build to non-default volume.

Speedup untagged_builds query

untagged_builds call is used by garbage collection and it is now about 100% faster. It doesn’t matter that much to GC itself as it needn’t to be particularly fast but other queries/users are not blocked by this query lock.

Support packages that are head-signed

DSA and RSA header signatures (RPMv4 scheme) support.

Tasks respect disabled channels

In last release option to “disable” channel was introduced. Anyway, tasks were happily requesting those channels and were never executed as no builder picked them. Now they fail immediately if the channel is disabled/non-existent in the moment of task creation.

Check spec_url for wrapperRPM task source policy test

wrapperRPM tasks now properly propagate data for source policy test.

Allow user on git://, git+http://, git+https://, and git+rsync:// scheme

We’ve not propagated username (or token) to builder. As this data are already visible in task it doesn’t make sense to conceal them on the builder. There are legitimate cases when token is used, so we are now propagating it without restriction.

Logging warning messages about deleteBuild or deletedRPMSig

Last release introduced deleteRPMSig API call. It is the second call which irrecoverably destroys build data so it should be better logged. We’re now capturing more data in the logs (especially the user).

Remove translation stub functions

We’ve never used the i18n _ call and we don’t plan to introduce any translation. So, we’ve decided to remove these stubs to make code a bit more readable and consistent.

Add specfile log to wrapperRPM

As specfile in wrapperRPM is modified from template it is nice to store this file in similar way to modified kickstarts in oz tasks.


Allow kojiweb to proxy users obtained via different mechanisms

New proxyauthtype option is introduced to gssapi_login and ssl_login methods. It allows user1 (typically web interface) to proxy another user2 (via standard proxyuser option) with different authentication mechanism than user1. E.g. user is authenticated to webui by gssapi, while webui itself authenticates via SSL certificate.



Don’t throw exception when auth fails

More proper exit when authentication fails to not trigger abrt.

Implement ignore_other_volumes option

Option to forbid kojira to delete repos on non-default volumes.


Some documentation updates | PR: https://pagure.io/koji/pull-request/2994 | PR: https://pagure.io/koji/pull-request/2995 | PR: https://pagure.io/koji/pull-request/2996 | PR: https://pagure.io/koji/pull-request/2997 | PR: https://pagure.io/koji/pull-request/3000 | PR: https://pagure.io/koji/pull-request/3013 | PR: https://pagure.io/koji/pull-request/3023 | PR: https://pagure.io/koji/pull-request/3029 | PR: https://pagure.io/koji/pull-request/3038 | PR: https://pagure.io/koji/pull-request/3051 | PR: https://pagure.io/koji/pull-request/3062 | PR: https://pagure.io/koji/pull-request/3070 | PR: https://pagure.io/koji/pull-request/3085 | PR: https://pagure.io/koji/pull-request/3086 | PR: https://pagure.io/koji/pull-request/3096 | PR: https://pagure.io/koji/pull-request/3102 | PR: https://pagure.io/koji/pull-request/3021 | PR: https://pagure.io/koji/pull-request/3026

New tests | PR: https://pagure.io/koji/pull-request/3027 | PR: https://pagure.io/koji/pull-request/3037 | PR: https://pagure.io/koji/pull-request/3056 | PR: https://pagure.io/koji/pull-request/3075

Basic security checks with bandit