SRPM lists for spins LiveISOs
Jeff Spaleta
jspaleta at gmail.com
Mon Mar 10 17:20:08 UTC 2008
On Sun, Mar 9, 2008 at 6:30 AM, Matt Domsch <Matt_Domsch at dell.com> wrote:
> To keep track of the Fedora FOSS contents people are including in
> their spins, I've added a tool[1] the the 'correspondingsource'
> project[2] which can be used to extract the list of all SRPMS
> correspoding to the binary content in a LiveCD/DVD image.
>
> $ sudo liveiso_srpm_list /path/to/your-Live-image.iso
Any way you can have this tool also test the key signatures of
packages in the iso?
This came up in fab concerning hosting externally built isos as part
of a tiered collection of spins. Is it possible for your tool, or a
related tool that you can build this week, to verify that the livecd
contents come from packages signed by the Fedora key (or a specific
group of keys)?
Correct me if I'm wrong, but to adapt what you are doing here, all
we'd need to do is import the keys we want to verify against into an
keyring for rpm to use, then have rpm use that keyring while running
rpm -K against each package.
-jef
More information about the fedora-devel-list
mailing list