Re: spin development: how to trust an iso built outside the fedora build sys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, Aug 15, 2010 at 19:02:36 +1000,
  David Timms <dtimms@xxxxxxxxxxxx> wrote:
> 
> I was wondering if there is any process that we (spin developers - music
> list) could use to confirm that a spin iso was
> 1. built with a particular kickstart file (or list of files when there
> is kickstart %include x directives).
> 2. hasn't been doctored on purpose eg by the person building the iso, or
> corrupted by the upload/download process
> 3. hasn't been tainted by unknown code on the build machine

My first suggestion is to build the iso yourself.

> A few thoughts:
> 1. the spin build process could place copies of all the spin kickstarts
> files in a folder on the destination machine eg /root/build-process.
> This would be in addition to the automatically created anaconda-ks.cfg
> (which is the combined ks file).

A fake spin could put the files you expect there, but not really use them.

> 2. shaNsum created by the spin creator and uploaded alongside the iso

That is reasonable if you both create and distribute isos.

> 3. content test by downloader of the iso:
> - mount -o loop/image on existing known good system
> - using known system rpm -Va all packages

Weeding out false positives here would make this step pretty tricky.

> - using known system tools, compare filelist from on image rpm db with
> complete list of files on disk to indicate every "extra" file present
> anywhere on the image. list the name and contents of them.
> - above check to indicate every "modified" rpm installed file
> 4. If a user builds a spin at a different time, or with repo out of
> sync, I expect that I could get different versions of packages in my
> build, so I don't think you could say: User built from the spin
> kickstart, and has a different sized/content iso, hence the original
> spin is "faulty". Does that make sense ?

I don't think you get bit identical spins if you build at different times,
and you certainly don't if there are different versions of packages being
used.
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux