From Fedora Project Wiki

< Infrastructure

Revision as of 06:06, 19 September 2018 by Puiterwijk (talk | contribs)

HTTPS commits to


In the past, was the host that maintainers used to upload package sources via https and push commits via ssh. All such commits via ssh required the user to be in the 'packager' group, because the host created actual accounts for each packager, then restricted them to commits. If a user was not in that group, they wouldn't be known to the acls and would be denied.

When we moved to with a pagure instance in front of it, this limitation was still in place, leading to users being able to fork packages, but being unable to push to their forks.

This limitation is now removed and https pushes are available for all users who have permissions to commit to packages/modules/containers/tests and forks thereof.

How it works

fedpkg (starting with version 1.34) has the ability to fetch a OIDC token from and then use that token to push commits over https. You also need to make sure and have python-openidc-client => 0.6.0 installed)

You will need to do your git clone with -a (anonymous) for now, and will need to using a graphical session (so your browser can be used to get the token you need).

Future plans

Slowly over time we plan to transition all users to https pushing for commits and retire the ssh service. There will be a lot of notice for this and it will only happen after https pushing is well established and working.


Q: On push, git asks for a username and password, what do I enter there?

A: This means you cloned with an old version of fedpkg. Do a fedpkg push (instead of git push) once after upgrading to fedpkg 1.34 or higher. Under no circumstances should you enter your FAS password in the CLI.

Q: Can I do a push on a headless machine?

A: Not yet. Currently you need a graphical session with a browser (firefox, chrome, etc). This will likely change down the road.

Q: Can I still push via ssh?

A: If you are in the packager group you can still push via ssh for now. In time, we are planning to deprecate this.

Q: Can I get a token on one system and then copy it to another?

A: Yes, but make sure you move it rather than copying or you keep the files in sync, since the token will be automatically refreshed and stored on-disk.