On Thu, Mar 13, 2008 at 7:16 PM, Mike McGrath <firstname.lastname@example.org> wrote:
> So we're at the point where we can host spins, how far off are we from
> having the official policy up and ready? The reason I ask is we've been
> asked to link to an external site. There's no technical reason we can't
> do this but at our infrastructure meeting today we decided to make sure to
> run this ticket by those who have been more involved in the decisions,
> policies, etc.
Sorry for not replying to this earlier I've been sick.
There is one outstanding issue with pointing to externally hosted
spins that needs to be resolved. If the spins are built outside the
Fedora build system, do we have a reasonable means to verify that the
image we are pointing to contains what is the expected result of
running the livecd tools against a contributed kickstart file?
There was a short discussion on -devel-list about using rpm -V on a
mounted image, to verify package payload and signatures. This would
provide some level of verification that Fedora Project signed packages
were used in the image compose. But its not clear that this sort of
check was considered sufficient.
So there's still an open question. Once an image is built, are there
checks that can be performed to ensure the image is what we expect?
My understanding is that the compose process is such that checksums
will differ with every image build, so we can't use any sort of simple
community checksum verification process.
Or will externally hosted binaries still need to be generated inside
the Fedora build system, to ensure that the final binary image was not
influenced by the compose environment.
fedora-advisory-board mailing list