rob thijssen
123f692203
Some checks failed
CI / Build cortex SRPM (push) Has been cancelled
CI / Build neuron SRPM (push) Has been cancelled
CI / Publish cortex to COPR (push) Has been cancelled
CI / Publish neuron to COPR (push) Has been cancelled
CI / Bump version in source (push) Has been cancelled
CI / Format, lint, build, test (push) Has been cancelled
Using %attr(,,cortex) / %attr(,,neuron) on config files caused rpm's auto-dep-generator to emit Requires: user(name) and group(name) on each package. When those Requires couldn't be resolved — whether due to sysusers Provides mismatches, missing GPG keys, or dnf5 cache state — dnf5 silently filtered the package out of the candidate set and reported "Nothing to do" rather than an unsatisfied-dep error. Adopt the pattern that already works reliably across our infra (grenade/monsoon): ship config files as default root:root with 0644 perms, don't declare user/group ownership in the rpm file list. systemd-sysusers still creates the service user via the shipped sysusers.d file; the service drops to that user at runtime via the User= directive in the unit. This removes the user(cortex)/user(neuron) Requires entirely, which is the root cause of the dnf5 filtering. File permission tightening can be reintroduced later — either via a separate secrets file with different mode bits, or by moving secret material to /var/lib/<svc>/ where the service drop-privileges account already has write access. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1.9 KiB
1.9 KiB