A few weeks back I started a discussion <https://discussion.fedoraproject.org/t/accidental-secrets/143559> about accidental secrets, using Konflux as an example. Now that FOSDEM has come and gone, I’d like to take the topic further. If you’re not familiar with it, in its own words <https://konflux-ci.dev/>, Konflux-ci “is an open source, cloud-native software factory focused on software supply chain security”, but for the sake of this discussion, it’s probably better to think of it as “the aspirational replacement for the myriad build and CI systems Red Hat uses in all its products”. Aspirational is key- we aren’t there yet… and it’s going to take a while to get there.
Despite many months of development, rpm support is just now being plumbed into the system (containers happened first). In fact, at this year’s CentOS Connect <https://connect.centos.org/> had Mike McLean, lead developer of koji <https://koji.build/>, presented “Building RPMs with Konflux <https://www.youtube.com/watch?v=wORt4PDGf6o>”. In his talk he related some of the details about the interim rpm approach, which injects builds into the koji after a build is complete. This seems weird, but it makes sense: When your goal is to eventually replace the full pipeline, but it’s going to take a long time, you have to write some throw-away code that bridges new to old. Talking about replacing koji can evoke understandable feelings and skepticism: Fedora has used it since at least version 7, when Core & Extras merged- it’s effectively always been there. Also, Red Hat has previously started infrastructure replacement projects, then changed course. Also, its development isn’t far enough along that it could replace koji any time soon. Also, some parts are only now going into an upstream git forge (the outstanding work is to replace some hard-coded Red Hat internal values with a configuration system). With all this in mind, the big question is: When and how is it the right time to officially bring up Konflux in the Fedora community context? If it happens too early, it won’t look credible or be useful. If it happens too late, there won’t be an opportunity for interested community members to meaningfully shape its development. So far, Red Hat’s development team has erred on the side of too-early, with presentations in 2024 at Flock and Devconf. Community feedback is valuable and showing up too late to accept it would be a loss. Beyond presentations at conferences, the development team has created a Konflux + Fedora SIG <https://github.com/konflux-ci/community/blob/main/sigs/fedora.md>, its own community mailing list <https://groups.google.com/g/konflux>, and even a matrix chat channel <https://chat.fedoraproject.org/#/room/#konflux:fedora.im>. The astute observer may note that some of the above URLs contain a combination of github.com and fedoraproject.org addresses. Similar to gcc using gnu.org and gnome using gnome.org, Konflux is meant to grow into a proper open source upstream, that many downstreams use, so public presence is not in Fedora alone. As it matures, I expect Konflux to be part of the way we improve Fedora CI, to be part of what powers a more intuitive git-native workflow, and an easier onramp for people who don’t currently participate in Fedora to join in with less friction. These dreams may be a little way out, but they are worth pursuing as we bring Forgejo online and realize its potential. So, what are the next steps right now? Let’s talk about it. (This is cross-posted <https://discussion.fedoraproject.org/t/konflux-what-is-the-right-time/146722> on the discussion forum). -- Brendan Conoboy / Community Linux Engineering / Red Hat, Inc.
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
