Hi there, I was wondering if there is any process that we (spin developers - music list) could use to confirm that a spin iso was 1. built with a particular kickstart file (or list of files when there is kickstart %include x directives). 2. hasn't been doctored on purpose eg by the person building the iso, or corrupted by the upload/download process 3. hasn't been tainted by unknown code on the build machine A few thoughts: 1. the spin build process could place copies of all the spin kickstarts files in a folder on the destination machine eg /root/build-process. This would be in addition to the automatically created anaconda-ks.cfg (which is the combined ks file). 2. shaNsum created by the spin creator and uploaded alongside the iso 3. content test by downloader of the iso: - mount -o loop/image on existing known good system - using known system rpm -Va all packages - using known system tools, compare filelist from on image rpm db with complete list of files on disk to indicate every "extra" file present anywhere on the image. list the name and contents of them. - above check to indicate every "modified" rpm installed file 4. If a user builds a spin at a different time, or with repo out of sync, I expect that I could get different versions of packages in my build, so I don't think you could say: User built from the spin kickstart, and has a different sized/content iso, hence the original spin is "faulty". Does that make sense ? -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
