[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SRPM lists for spins LiveISOs



On Sun, Mar 9, 2008 at 6:30 AM, Matt Domsch <Matt_Domsch dell com> wrote:
> To keep track of the Fedora FOSS contents people are including in
>  their spins, I've added a tool[1] the the 'correspondingsource'
>  project[2] which can be used to extract the list of all SRPMS
>  correspoding to the binary content in a LiveCD/DVD image.
>
>  $ sudo liveiso_srpm_list /path/to/your-Live-image.iso


Any way you can have this tool also test the key signatures of
packages in the iso?
This came up in fab concerning hosting externally built isos as part
of a tiered collection of spins.  Is it possible for your tool, or a
related tool that you can build this week, to verify that the livecd
contents come from packages signed by the Fedora key (or a specific
group of keys)?

Correct me if I'm wrong, but to adapt what you are doing here, all
we'd need to do is import the keys we want to verify against into an
keyring for rpm to use, then have rpm use that keyring while running
rpm -K against each package.

-jef


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]