Separating the roles of the QA process

[Pekka Savola]

On Fri, 17 Dec 2004, Marc Deslauriers wrote:
>>   3) the VERIFY QA is obligated to:
>>     - check the GPG signature and checksum of the packages
>>     - install it, run it, test if it works.
>>     - running rpm-build-compare.sh on the binaries to see if there have
>> been any significant changes (e.g., to the libraries used)
>
> rpm-build-compare.sh is usually run after building in mach and before
> posting to updates-testing. I don't think this should be mandatory for
> people to give a VERIFY as it will require more work than they will
> probably be willing to do. That said, if anyone actually does it, it's
> definitely a plus...

Fine by me.  IMHO, however, it is very useful to run 
rpm-build-compare.sh on the _binary_ RPMS, to see if there have been 
any changes (e.g., some library or file went missing by accident, 
etc.).  These kind of changes are impossible to test on your own.

Or is there an undocumented process what happens at mach and 
updates-testing, i.e., is someone already doing this kind of review ?

(I was hoping this was automatic except for gpg signing, but if not, I 
think it needs to be documented on the web pages so the folks have 
right expectations what different folks should be doing.)

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings