QA process was Re: RPM submission procedure

[Toshio]

Concerns about the autobuilder downloading a different src.rpm/tarball
than the QA testers can be alleviated (entirely?) by having QA testers
submit hashes of the files they're testing.  Then the autobuilder has to
check that the files it's working with match the ones the QA testers
tested.

I agree that QA tester eyeballs aren't necessarily enough (because of
boredom, etc) and that the autobuilder should be resistant to the
package build trying to compromise the machine (because something will
inevitably slip through) but shouldn't QA eyeballs be part of a defense
in depth?

-Toshio
(Forgive my not replying to the thread, I deleted the message before
realizing I had something to say)

-- 
Toshio <toshio at tiki-lounge.com>