On 2012-11-12 12:38, Seth Vidal wrote:
> What I mean is: when I build a package for Fedora, I go through
the Koji
> build system. I can't just kludge up a binary RPM and have it get sent
> out
> into the mirror. And, anyone can go into Koji and see the packages I've
> built -- and see how they were built, if they want. And although the GPG
> package signing process is also a black box to some degree, Bodhi gives
> pretty good transparency into the path an update takes.
They can see what happened, they may not actually be able to get the
pkg... We don't keep pkgs forever.
But we do for releases, from which all previous release images have been
spun, AFAIK. The cloud SIG made sure of that quite early on in its
lifetime to keep everything GPL-compliant, and it might be worth keeping
in mind as we consider how to build images for future releases.
--
Garrett Holmstrom