Testing packages for release to updates (VERIFY)

1. An email will go out with a subject Fedora Legacy Test Update Notification: (package-name)

2. Download the binary RPM package from the updates-testing channel (from the location mentioned in the email).

3. Verify the integrity of the downloaded package by checking its GPG signature and SHA1 checksums. (For details on how to verify a package, see http://www.fedoralegacy.org/about/security.php).

4. Install the package, and note any installation problems.

5. Use the package (as appropriate for the package), and note any problems found.

QA Checklist for VERIFY

The following is a QA checklist for the second step in the QA process. This is simply a checklist that should be done for each package during the second step of the QA process, but it is not the entire QA process. Each package may have steps unique to that package which are not listed here.

Required checklist

1. Verify the GPG signature and the SHA1 checksum of the package. 2. Could you install or update the package without problems? 3. Could you use the package, as appropriate for the package, without problems?

Optional checklist

1. Can you uninstall the package correctly without problems? 2. Run any published exploits (if available) against the package to verify the exploitable code has been fixed correctly.

The time needed to test a package will vary for each package. The steps needed will also vary. For example, for a simple application, you may just use it for a few minutes as you normally would, and verify that it works for the normal tasks you do with that application. On the other hand, for a kernel update, you would want to run it for a least a couple of days to see if any problems develop before reporting success.