DO NOT MERGE: Testing https://github.com/containers/image/pull/2636 #24629
Conversation
Signed-off-by: Miloslav Trmač <[email protected]>
openshift-ci
bot
added
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mtrmac The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
Ephemeral COPR build failed. @containers/packit-build please check. |
The Go RPM is too old Signed-off-by: Miloslav Trmač <[email protected]>
|
For transparency, note the “HACK DO NOT MERGE: Skip testing on F40” commit. |
|
@mtrmac We cannot bump go versions so aggressively, should we add fedora -1 tests to c/common,image,storage to prevent bumps that cannot be build later down in the stack? I have hopes that this specific instance may get fixed with sigstore/sigstore#1878 but then again any dependency can introduce a bump so I feel like we must guard against that early |
|
@Luap99 Yes, this is now a problem. Historically, the Go patch version bumps typically included a vulnerability fix, which meant that Fedora would update quickly. That hasn’t now been the case in Go 1.22.{7,8}. I don’t feel strongly about automation forcing us to build on Fedora N-1. On the one hand, it would certainly prevent inconvenience like this, OTOH it might delay us from making updates (e.g. updates of dependencies fixing vulnerabilities) until a Fedora Go RPM lands in the stable stream. Let’s see how the sigstore PR fares; in the worst case we can downgrade the sigstore dependency in c/image (and others?) at the last moment, on a short notice. |
|
The c/image PR was merged. |
Does this PR introduce a user-facing change?