On Jan 13, 2008 8:50 PM, Jeffrey Ollie <jeff@xxxxxxxxxx> wrote: > >From what I know of CVS, this isn't possible from inside CVS and > likely very difficult from outside CVS too. Basically, you'd have to > set up a database outside CVS that would track the version (and maybe > the MD5/SHA signature) of every file that koji used to build the SRPM. > With this setup you could at least know if CVS had been messed with > after Koji did the build. Are you aware of what are cvs is setup to do right now? make srpm basically provides the needed functionality in a checked out cvs tree. For the purpose of recreating srpms for binaries we distribute on-demand we just have to have tags we can trust corresponding to a build we can trust. In discussion with infrastructure and release people before it was brought up that it would be a good idea to have koji re-tag back into cvs after a build to indicate it was a releasable build and that its a trivial change in how things are done. -jef _______________________________________________ fedora-advisory-board mailing list fedora-advisory-board@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-advisory-board
