On Tue, Mar 4, 2008 at 12:34 PM, Jeff Spaleta <jspaleta@xxxxxxxxx> wrote: > On Tue, Mar 4, 2008 at 12:29 PM, Josh Boyer <jwboyer@xxxxxxxxx> wrote: > > Except spins are done off of released versions of Fedora. Which means > > the packages they use are already signed with the Fedora key. > > We'd have to have some way to verify that. Correct me if I'm wrong, but any sort of checksum comparison between multiple locally built images wouldn't work as a baseline verifier of which repository a spin was built from would it? If 4 different people took the kickstart and rebuilt it using the livecd tools on different machines at different times, using packages from the fedora repository..they wouldn't end up with images with the same checksums right? -jef _______________________________________________ fedora-advisory-board mailing list fedora-advisory-board@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-advisory-board
