spin development: how to trust an iso built outside the fedora build sys

[David Timms]

Hi there,

I was wondering if there is any process that we (spin developers - music
list) could use to confirm that a spin iso was
1. built with a particular kickstart file (or list of files when there
is kickstart %include x directives).
2. hasn't been doctored on purpose eg by the person building the iso, or
corrupted by the upload/download process
3. hasn't been tainted by unknown code on the build machine

A few thoughts:
1. the spin build process could place copies of all the spin kickstarts
files in a folder on the destination machine eg /root/build-process.
This would be in addition to the automatically created anaconda-ks.cfg
(which is the combined ks file).
2. shaNsum created by the spin creator and uploaded alongside the iso
3. content test by downloader of the iso:
- mount -o loop/image on existing known good system
- using known system rpm -Va all packages
- using known system tools, compare filelist from on image rpm db with
complete list of files on disk to indicate every "extra" file present
anywhere on the image. list the name and contents of them.
- above check to indicate every "modified" rpm installed file
4. If a user builds a spin at a different time, or with repo out of
sync, I expect that I could get different versions of packages in my
build, so I don't think you could say: User built from the spin
kickstart, and has a different sized/content iso, hence the original
spin is "faulty". Does that make sense ?