Draft Proposal: Spin Submission and Approval Process
jspaleta at gmail.com
Tue Mar 4 21:45:55 UTC 2008
On Tue, Mar 4, 2008 at 12:34 PM, Jeff Spaleta <jspaleta at gmail.com> wrote:
> On Tue, Mar 4, 2008 at 12:29 PM, Josh Boyer <jwboyer at gmail.com> wrote:
> > Except spins are done off of released versions of Fedora. Which means
> > the packages they use are already signed with the Fedora key.
> We'd have to have some way to verify that.
Correct me if I'm wrong, but any sort of checksum comparison between
multiple locally built images wouldn't work as a baseline verifier of
which repository a spin was built from would it? If 4 different
people took the kickstart and rebuilt it using the livecd tools on
different machines at different times, using packages from the fedora
repository..they wouldn't end up with images with the same checksums
More information about the fedora-advisory-board