Mailinglist Archive: opensuse-buildservice (200 mails)

< Previous Next >
[opensuse-buildservice] The next step, OBS 2.3 Beta 1 is released
  • From: Adrian Schröter <adrian@xxxxxxx>
  • Date: Fri, 13 May 2011 16:30:11 +0200
  • Message-id: <130530805.JqhSB1qo1y@scherben>

OBS 2.3 Beta 1 is out!

The main features of this release are

* Full distribution maintenance support. This includes support for the
workflow in OBS and also the patch channel generation.
This functionality can be used at full glance with coordination and review
or just in parts.
* Read access protection for projects (as planned for OBS 2.2)

Apart from that we have many smaller improvements, esp. in the area of request
handling and the webui integration.

Download it

As usual, you find current packages or an appliance in openSUSE:Tools:Unstable
OBS 2.3 Beta 1 is tagged as version 2.2.80.

Please read here for usage details for the appliance:

Current State

The Beta 1 release means that currently no new feature should be commited to
git master
without asking. Open tasks for next weeks are:

* Get webui usable for the maintenance coordination.
* Get documentation in a better shape so that we can switch openSUSE
using the new mechanisms.
* source service generate files may get committed in a different way

* There are absolute zero known regressions known atm. So really everything
be at least as good as in OBS 2.1.x :)
Feel free to run it on your production system, we do it also on :)

The call for help

There are still a number of areas where some clean up is needed. For example we

* 17 FIXME2.2 lines in the code (means that read access handling code needs
* 8 FIXME2.3 lines in the code (maintenance code needs a revisit here)
* Unknown state of Cross architecture builds. It would be nice if someone can
so that the OBS Appliance can build for arm architectures out of the box.

Please find the full Release Notes below:

# openSUSE Build Service 2.3

Please read the README.SETUP file for initial installation
instructions or use the OBS Appliance from

There is also an install medium with installs OBS on hard disc now.

README.UPDATERS file has informations for updaters.

OBS Appliance users who have setup their LVM can just replace
their appliance image without data loss. The migration will
happen automatically.

Main Features

The main topic of OBS 2.3 is to deliver a number of features to allow
product maintenance handling with OBS. No external build or tracking tool
is needed to do the typical maintenance workflow of a distribution team.

The usage of these features are documented in the OBS book:

OBS 2.3 comes also with a feature which was planned for the not released
OBS 2.2 version. New created projects can set to hidden. That means no source
or binary read access is possible. Please read the following for details:

To be considered regarding read access checks

* "access" flag is hiding and protecting entire project. This includes binaries
and sources. It can only be used at project creation time and can just be
globally enabled (aka make it public again) afterwards.
This flag can only be used on projects.

* "sourceaccess" flag is hiding the sources to non maintainers, this includes
also debug packages
in case the distribution is supporting this correctly.
This flag can also only be used at package creation time. There is no code
yet which is checking for possible references to this package.
This flag can be used on projects or packages.

* "downloadbinary" permission still exists like before. However, unlike
and "sourceaccess" this is not a security feature. It is just a convinience
feature, which
makes it impossible to get the binaries via the API directly. But it still
to get the binaries via build time in any case.

Security aspects

Former OBS releases lack protection against XSS attacks. Esp. public instances
should update to OBS 2.3, which is using rails plugins to protect against XSS
attempts. This fixes (CVE-2011-0462).

Apache & mod_rails switch

Former OBS versions used lighttpd as default web server. We have switched to
apache with mod_rails (known as passenger) as default web server.
We have also added an mod_xforward apache module to allow unloading the rails
stack with long running requests to the backend.
Please note that current apache2 versions have a known bug which cuts the http
headers regardless to it's configuration. Please use apache2 from openSUSE:Tools
project to get this fixed for now.
Also the patched version of rubygem-passenger from openSUSE:Tools project is

Known Regressions to 2.1:

* none yet


* web interface improvements:
- package filtering
- Generic authentification proxy support
- delete request dialogs
- request and review handling improvements
- social features, i.e. show other user's projects and requests

* api
- review of requests by project or package maintainers is possible now (FATE
- better Cross-Site Scripting (XSS) protection
- larger number of request handling improvements

* backend:


* web interface
- bug reporting for projects/packages is only possible if a bugowner is set
- XSS protection plugins are used now (CVE-2011-0462)

* api
- It was not possible so far to create submit requests from packages where no
write access exists.
This is possible now, but the source package maintainer will get asked for
review the request.
- the route /group/$GROUP is showing correct xml description and no directory


The following calls have been marked as deprecated, they will get removed in
OBS 3.0

* api
- /person/$LOGIN/group -> use /group?login=$LOGIN instead


* The OBS server should not run on a system with less than 2GB memory.
4GB is recommended, esp. when the same system is also building packages.

* Use osc 0.131 or later to get access to the new features.

* Usage of Ruby on Rails version 2.3.11 is recommended.

Adrian Schroeter
SUSE Linux Products GmbH
email: adrian@xxxxxxx

To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages