P2P Packaging/Koji Cloud

Przemek Klosowski przemek.klosowski at nist.gov
Wed Dec 7 20:02:42 UTC 2011

On 12/07/2011 01:25 PM, seth vidal wrote:

> If I were going to use random vm's I'd want to:
> 1. connect using ssh
> 2. push over my own rpm/python/etc binaries
> 3. checksum all the rest of the installed (and running) software
> 4. verify those checksums versus my known good set
> 5. THEN push over the pkgs to be built

I'd say we need to be paranoid on this one and consider a tainted kernel 
where your own binaries would report A-OK on a rigged gcc because kernel 
has a special case for it. Test builds and QA might be OK, but nothing 
that results in shipped bits.

More information about the devel mailing list