On Sun, Mar 9, 2008 at 6:30 AM, Matt Domsch <Matt_Domsch@xxxxxxxx> wrote: > To keep track of the Fedora FOSS contents people are including in > their spins, I've added a tool[1] the the 'correspondingsource' > project[2] which can be used to extract the list of all SRPMS > correspoding to the binary content in a LiveCD/DVD image. > > $ sudo liveiso_srpm_list /path/to/your-Live-image.iso Any way you can have this tool also test the key signatures of packages in the iso? This came up in fab concerning hosting externally built isos as part of a tiered collection of spins. Is it possible for your tool, or a related tool that you can build this week, to verify that the livecd contents come from packages signed by the Fedora key (or a specific group of keys)? Correct me if I'm wrong, but to adapt what you are doing here, all we'd need to do is import the keys we want to verify against into an keyring for rpm to use, then have rpm use that keyring while running rpm -K against each package. -jef -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
