HTTPS commits to src.fedoraproject.org

Background

In the past, pkgs.fedoraproject.org was the host that maintainers used to upload package sources via https and push commits via ssh. All such commits via ssh required the user to be in the 'packager' group, because the host created actual accounts for each packager, then restricted them to commits. If a user was not in that group, they wouldn't be known to the acls and would be denied.

When we moved to src.fedoraproject.org with a pagure instance in front of it, this limitation was still in place, leading to users being able to fork packages, but being unable to push to their forks.

This limitation is now removed and https pushes are available for all users who have permissions to commit to packages/modules/containers/tests and forks thereof.

How it works

fedpkg (starting with version 1.34) has the ability to fetch a OIDC token from src.fedoraproject.org and then use that token to push commits over https. You also need to make sure and have python-openidc-client => 0.6.0 installed)

You will need to do your git clone with -a (anonymous) for now, and will need to using a graphical session (so your browser can be used to get the token you need).

Future plans

Slowly over time we plan to transition all users to https pushing for commits and retire the ssh service. There will be a lot of notice for this and it will only happen after https pushing is well established and working.

FAQ

Q: Can I do a push on a headless machine?

A: Not yet. Currently you need a graphical session with a browser (firefox, chrome, etc). This will likely change down the road.

Q: Can I still push via ssh?

A: If you are in the packager group you can still push via ssh.

Q: Once I get a token how long is it good for?

A: ?

Q: Where does fedpkg store the token?

A: