Re: "Action Items" From FUDCon?

["Jeff Spaleta" <jspaleta gmail com>]

On Jan 13, 2008 8:50 PM, Jeffrey Ollie <jeff ocjtech us> wrote:
> >From what I know of CVS, this isn't possible from inside CVS and
> likely very difficult from outside CVS too.  Basically, you'd have to
> set up a database outside CVS that would track the version (and maybe
> the MD5/SHA signature) of every file that koji used to build the SRPM.
>  With this setup you could at least know if CVS had been messed with
> after Koji did the build.

Are you aware of what are cvs is setup to do right now?  make srpm
basically provides the needed functionality in a checked out cvs tree.
For the purpose of recreating srpms for binaries we distribute
on-demand we just have to have tags we can trust corresponding to a
build we can trust. In discussion with infrastructure and release
people before it was brought up that it would be a good idea to have
koji re-tag back into cvs after a build to indicate it was a
releasable build and that its a trivial change in how things are done.

-jef