Skip to content
This repository
Fetching contributors…

Octocat-spinner-32-eaf2f5

Cannot retrieve contributors at this time

file 182 lines (132 sloc) 7.657 kb
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181
#
# Open Build Service 2.3
#

Please read the README.SETUP file for initial installation
instructions or use the OBS Appliance from

  http://en.opensuse.org/Build_Service/OBS-Appliance

There is also an install medium with installs OBS on hard disc now.

dist/README.UPDATERS file has informations for updaters.

OBS Appliance users who have setup their LVM can just replace
their appliance image without data loss. The migration will
happen automatically.


Main Features
=============

The main topic of OBS 2.3 is to deliver a number of features to allow
product maintenance handling with OBS. No external build or tracking tool
is needed to do the typical maintenance workflow of a distribution team.

The usage of these features are documented in the OBS book:

  http://doc.opensuse.org/products/draft/OBS/obs-reference-guide_draft/

OBS 2.3 comes also with a feature which was planned for the not released
OBS 2.2 version. New created projects can set to hidden. That means no source
or binary read access is possible. Please read the following for details:

To be considered regarding read access checks
=============================================

* "access" flag is hiding and protecting entire project. This includes binaries
  and sources. It can only be used at project creation time and can just be
  globally enabled (aka make it public again) afterwards.
  This flag can only be used on projects.
  NOTE: there is no support in request system to hide projects which should not
        be visible. Don't create requests if you don't want to expose them.

* "sourceaccess" flag is hiding the sources to non maintainers, this includes also debug packages
  in case the distribution is supporting this correctly.
    This flag can also only be used at package creation time. There is no code
  yet which is checking for possible references to this package.
  This flag can be used on projects or packages.

* "downloadbinary" permission still exists like before. However, unlike "access"
  and "sourceaccess" this is not a security feature. It is just a convinience feature, which
  makes it impossible to get the binaries via the API directly. But it still possible
  to get the binaries via build time in any case.

Security aspects
================

Former OBS releases lack protection against XSS attacks. Esp. public instances
should update to OBS 2.3, which is using rails plugins to protect against XSS
attempts. This fixes (CVE-2011-0462).

Building in "chroot" environments is known to be unsecure. XEN and KVM is considered to
be a secure environment. However KVM is known to be unstable, it leads to build
failures.

Apache & mod_rails switch
=========================

Former OBS versions used lighttpd as default web server. We have switched to
apache with mod_rails (known as passenger) as default web server.
We have also added an mod_xforward apache module to allow unloading the rails
stack with long running requests to the backend.
Please note that apache2 version 2.2.10 has a known bug which cuts the http
headers regardless to its configuration. We created a patch for 2.2.10. If
you're using version 2.2.10, please use our patched apache2 from the openSUSE:Tools
project. Apache2 with version 2.2.12 or later from SLE11 SP1 (or later) already
has the patch.
Also the patched version of rubygem-passenger from openSUSE:Tools project is recommended.
Anything later than version 3.0.8-2.24 should be sufficient.

Known incompatible changes to OBS 2.1:
======================================

* The experimental marked _patchinfo file format has changed incompatible.
  It is considered to be stable now.

* Building arm, mips or sh4 repositories on i586 or x86_64 hosts require an additional
  line in project config, defining the host architecture. (eg. Hostarch: x86_64)
  (Native build of these architectures is working now in return)

Features:
=========

- Maintenance handling functionality. Details in OBS reference book.
- Generic authentification proxy support
- Project access visibility and access protection
- Tracking of bugzilla or CVE issues in source changes and tracking servers

* web interface improvements:
  - package filtering
  - New request and review handling interfaces
  - social features, i.e. show other user's projects and requests

* api
  - review of requests by project or package maintainers is possible now (FATE #310806)
  - better Cross-Site Scripting (XSS) protection
  - larger number of request handling improvements

* backend:
  - dispatcher got rewritten having a more clever sort order based on defined
    priorities and the trigger reason.


Changes:
========

* web interface
  - bug reporting for projects/packages is only possible if a bugowner is set
  - XSS protection plugins are used now (CVE-2011-0462)

* api
  - It was not possible so far to create submit requests from packages where no write access exists.
    This is possible now, but the source package maintainer will get asked for review the request.
  - the route /group/$GROUP is showing correct xml description and no directory anymore

* declined request state is considered as still open
  - request creators are supposed to re-act when their request got declined. They can revoke, re-open
    or re-submit new sources.
  - declined requests are shown in the webui "My Work" page and in "osc my rq"

* new source service handling
  - Source services do not generate an extra commit for the result. Instead they work like
    source links, this means the generated files become visible with expand=1 parameter.
  - The state of the service is visible via serviceinfo element in package file list.

* The scheduler is excluding the link information on calculating rebuilds. This means it triggers
  only builds when the merged source has changed.
  NOTE: as a side effect all linked packages will get rebuild due to changed md5sum after 2.3 update.

* The backend is only accepting write access from the localhost by default. Build results can be
  still delivered from any host. This can be changed in BSConfig.pm

* The scheduler architectures of armvXel and armv7hl are recommended to be renamed to armvXl.
  Package architectures can be kept to arm7hl or armv8l via the "Target: " tag in project config.

Deprecated:
===========

The following calls have been marked as deprecated, they will get removed in OBS 3.0

* api
  - /person/$LOGIN/group -> use /group?login=$LOGIN instead

* cross compile: copying installed qemu binaries into the worker is still supported but
                 deprecated. It is suggested to install qemu instead.

Requirements:
=============

* The OBS server should not run on a system with less than 2GB memory.
  4GB is recommended, esp. when the same system is also building packages.

* Filesystems which may be used for the backend data:
  - XFS is fully validated to work. You should keep the default to do datasync in
    BSConfig.pm to avoid corrupted files on system crashes. It is known not to be
    the best performing FS for OBS.
  - Ext4 is not validated but should work. datasync calls can be savely disabled.
  - BTRFS is known to have hard link limitations which currently can break OBS.

* Use osc 0.134 or later to get access to the new features.

* Usage of Ruby on Rails version 2.3.14 is recommended. This should also be available
  from the openSUSE:Tools project, so long as you're running SLES11 SP1 or later.

General Notes:
==============

* The api delayed job will parse all sources in all packages once after
  updating (to detect package kind and mentioned issues). This is a long
  running job and will create some load.

Something went wrong with that request. Please try again.