The Fedora Project is seeking ways to verify the installer images and package payload distributed by Fedora Unity in the form of Re-Spins. It's not because they don't trust the source these binary and source images come from, they just want a general procedure of which verification of what is being distributed is a major component. This right now, or so it seems, is preventing the Fedora Unity images to be officially linked from fedoraproject.org's "get-fedora" page. This has always been a desire on Fedora Unity's part, as we think our Re-Spins are beneficial to the existing community around Fedora, as well as new-comers. Eventually, possibly, we might even be able to push the entire process to upstream, the Fedora Project itself, with all of us testers, composers, techies and developers following so that what we do now under Fedora Unity, becomes Fedora Project genuinely.

It's time for me to make a suggestion for the verification process on the images I produce:

I am Jeroen van Meeuwen, certified engineer for all kinds of stuff that have or do not have anything to do with Fedora and all that crap, you know where I live, and I've signed the CLA. I'm with Fedora Unity, the long-standing project with more then just a proven track record. We've been around for a couple of years, as I'm sure you know already. You might have met me at one or the other FUDCon, some other event, you might be able to Google me and start digging from there. I'm not really sure how much information you need about me to be able to verify where the images come from and therefore trust what the contents are exactly. I'm not sure there's a viable concern about my systems potentially being hacked or badly maintained so that not even I could tell what is on the images exactly, but if there is, make sure to notify all the greater parties that certify me, you'll find them on my fedoraproject.org wiki page.

Regardless, I'm the one that composes these Re-Spins. When I publish the images I produce, I sign off on them. Yup, that's me, personally. With or without backported anaconda hacks which are not in Fedora proper, but help the community. And not just me, the entire Fedora Unity Test Team signs off on them, after the 138 tests they perform. When these Re-Spins are released, an estimate 3000 users (per month) use these images to install one or more systems. I can see why a verification process is needed so much.

Thank you though, for trying to draft up a process concerning spins in general instead of getting rid of the show-stopper for Re-Spins that is called verification. I understand the concern, I'm not new to this world. Someone though might think it's a little far-fetched and that you're overreaching. Please make sure that doesn't cost you, I hate to see good people turn away from the project or become outcasts.

I've not even addressed the real, technical issue. There is no way to verify an image, whether it be an installer image or a live image. This is a catch-22 pur sang. I'm definitely going to kiss the one that comes up with a solution (if it's a girl, that is, boys can get a beer ;p). It might take a while, but being able to verify externally composed (binary) images would just be gallery play.

Now here's a picture: Compared to this, the issue of being able to link to third party repositories went over smoothly. Where's the verification process for that? I'm not sure what concerns me most, but the lack of consistency sure looks like a winner to me.