"Action Items" From FUDCon?

Jeffrey Ollie jeff at ocjtech.us
Mon Jan 14 05:50:07 UTC 2008


On 1/13/08, Jeff Spaleta <jspaleta at gmail.com> wrote:
> On Jan 13, 2008 3:28 PM, Mike McGrath <mmcgrath at redhat.com> wrote:
> > Can anyone think of any action items the infrastructure team (or others
> > for that matter) may need to do as a result of discussions during
> > hackfest/fudcon?
>
> figure out how to get koji to write back an immutable unique tag back
> into cvs for each non-scratch koji build that completes.  Or something
> equivalent so we can regenerate srpms from cvs reasonably easily for
> any package version we have released.  There is an issue right now
> with forced retagging in cvs still being possible which means we can't
> rely on the tags that get created when a contributor does a make tag.

>From what I know of CVS, this isn't possible from inside CVS and
likely very difficult from outside CVS too.  Basically, you'd have to
set up a database outside CVS that would track the version (and maybe
the MD5/SHA signature) of every file that koji used to build the SRPM.
 With this setup you could at least know if CVS had been messed with
after Koji did the build.

I know I'm going to evoke some groans when I say this, but Git
provides exactly the mechanism that you're looking for.  The Git
commit id is actually a SHA1 hash of the history of a particular
commit.  If you know the Git commit id you can be guaranteed that you
got exactly the same source out that you put in. I believe that
Mercurial has a similar system, however I'm not sure that that
Mercurial makes as strong guarantees as Git does.

I believe that both Git and Mercurial provide the ability to GPG sign
a tag - another way to accomplish this goal would be for Koji to sign
the tags that it builds from.

Jeff




More information about the fedora-advisory-board mailing list