3) the VERIFY QA is obligated to: - check the GPG signature and checksum of the packages - install it, run it, test if it works. - running rpm-build-compare.sh on the binaries to see if there have been any significant changes (e.g., to the libraries used)
rpm-build-compare.sh is usually run after building in mach and before posting to updates-testing. I don't think this should be mandatory for people to give a VERIFY as it will require more work than they will probably be willing to do. That said, if anyone actually does it, it's definitely a plus...
Fine by me. IMHO, however, it is very useful to run rpm-build-compare.sh on the _binary_ RPMS, to see if there have been any changes (e.g., some library or file went missing by accident, etc.). These kind of changes are impossible to test on your own.
Or is there an undocumented process what happens at mach and updates-testing, i.e., is someone already doing this kind of review ?
(I was hoping this was automatic except for gpg signing, but if not, I think it needs to be documented on the web pages so the folks have right expectations what different folks should be doing.)
-- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
-- fedora-legacy-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-legacy-list
