P2P Packaging/Koji Cloud

seth vidal skvidal at fedoraproject.org
Wed Dec 7 21:15:56 UTC 2011

On Wed, 07 Dec 2011 15:02:42 -0500
Przemek Klosowski <przemek.klosowski at nist.gov> wrote:

> On 12/07/2011 01:25 PM, seth vidal wrote:
> > If I were going to use random vm's I'd want to:
> > 1. connect using ssh
> > 2. push over my own rpm/python/etc binaries
> > 3. checksum all the rest of the installed (and running) software
> > 4. verify those checksums versus my known good set
> > 5. THEN push over the pkgs to be built
> I'd say we need to be paranoid on this one and consider a tainted
> kernel where your own binaries would report A-OK on a rigged gcc
> because kernel has a special case for it. Test builds and QA might be
> OK, but nothing that results in shipped bits.

So I have two thoughts on this:

1. scratch or personal chainbuilds could be built in ec2 or rax or
anywhere w/o an issue

2. for our shipping pkgs building them in the existing koji
buildsystems and/or in a dedicated private cloud instance makes sense -
if only for resource allocation and control.


More information about the devel mailing list