On Mon, Aug 01, 2011 at 03:31:45PM -0700, Jesse Keating wrote: > On Aug 1, 2011, at 3:18 PM, David Nalley wrote: > > > > My perception is that we want such a rigid process because we don't > > want anything bad/failure to be associated with the finished product > > that bears our name. Certainly a laudable goal. However, when we > > require the same onerous process we use to insure that our primary > > version(s) work and apply that process to 'niche' products like the > > F15 Design Suite (with 939 downloads as of this writing), or the F15 > > XFCE Spin (with 2720 downloads as of this writing)[0] it seems like we > > are doing something wrong. At the other end of the spectrum we have > > virtually no oversight of virtual images for providers like Linode, > > Godaddy, Amazon, RackSpace, and scores of other VPS/Cloud/Managed > > Service providers who are permitted to use the Fedora name and > > trademarks, offer Fedora virtual machines, and I'd be willing to bet > > that they have more Fedora 15 deployments each than we have downloads > > of the Design Suite. Instances where our brand is important and the > > basis of the choice of operating system, where people will likely > > never know whether the image was generated by RelEng or by $fooadmin > > at $provider. > > Honestly I think that the hangup is in how these virt images get created. It's one thing to take a copy of our isos and host it on your own server. The files don't get changed, they can still be checksummed against our gpg signed sums, and you can still run the integrity test inside. Same with hosting a mirror of our package tree. Each RPM remains intact and the gpg signature can still be verified. > > However for EC2 and the like one has to break apart the iso and shuffle bits around, and hopefully do it the right way so that the end result works. (forgive me I'm oversimplifying greatly here) Because the process is different, and because the end results can't easily be verified by the end user (correct me if I'm wrong) it's not so easy to pass it off as something that should be as "free" to do as hosting a copy of our install media or hosting a copy of our packages. > Even with EC2, the files come from the rpms, they do not get changed. You can rpm verify every single package installed, and the contents are 100% fedora. What does get changed is a couple of config files (fstab, grub.conf, and rc.local to allow for logins). Package contents are 100% Fedora, and the update process is a yum update off of the same mirrors that ISO installs use. A default user is created, the fstab is modified to mount the extra S3 scratch disk that amazon provides, and a small bit of scripting is added to make images download a fresh ssh key on boot to ensure that users can log into their host, and no one else can. Justin _______________________________________________ advisory-board mailing list advisory-board@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/advisory-board
