On 1/13/08, Jeff Spaleta <jspaleta@xxxxxxxxx> wrote: > On Jan 13, 2008 3:28 PM, Mike McGrath <mmcgrath@xxxxxxxxxx> wrote: > > Can anyone think of any action items the infrastructure team (or others > > for that matter) may need to do as a result of discussions during > > hackfest/fudcon? > > figure out how to get koji to write back an immutable unique tag back > into cvs for each non-scratch koji build that completes. Or something > equivalent so we can regenerate srpms from cvs reasonably easily for > any package version we have released. There is an issue right now > with forced retagging in cvs still being possible which means we can't > rely on the tags that get created when a contributor does a make tag. >From what I know of CVS, this isn't possible from inside CVS and likely very difficult from outside CVS too. Basically, you'd have to set up a database outside CVS that would track the version (and maybe the MD5/SHA signature) of every file that koji used to build the SRPM. With this setup you could at least know if CVS had been messed with after Koji did the build. I know I'm going to evoke some groans when I say this, but Git provides exactly the mechanism that you're looking for. The Git commit id is actually a SHA1 hash of the history of a particular commit. If you know the Git commit id you can be guaranteed that you got exactly the same source out that you put in. I believe that Mercurial has a similar system, however I'm not sure that that Mercurial makes as strong guarantees as Git does. I believe that both Git and Mercurial provide the ability to GPG sign a tag - another way to accomplish this goal would be for Koji to sign the tags that it builds from. Jeff _______________________________________________ fedora-advisory-board mailing list fedora-advisory-board@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-advisory-board
