[Development] Qt5 combined source package - Perl dependency

Thiago Macieira thiago.macieira at intel.com
Mon Apr 29 18:25:15 CEST 2013 

On segunda-feira, 29 de abril de 2013 18.09.14, Oswald Buddenhagen wrote:
> On Mon, Apr 29, 2013 at 07:44:18AM -0700, Thiago Macieira wrote:
> > On segunda-feira, 29 de abril de 2013 11.06.11, Oswald Buddenhagen wrote:
> > > my current solution is entirely predictable: git builds always run
> > > syncqt, while other builds never do. this makes a very clear statement:
> > > if you want to modify qt (or at least its apis), use git.
> > 
> > Please note that this is not the proposal.
> > 
> > The proposal was to have the big packages include the headers, but the
> > split source packages not have them.
> 
> which makes no sense as far as i'm concerned.
> i'll rethink my stance if you answer my questions regarding the
> verification process to my satisfaction.

Can you re-state the questions?

I want the source tarballs to have the Git archive embedded commit ID, so I 
can use git get-tar-commit-id on them.

Like:
$ curl -s http://macieira.org/qtchooser/qtchooser-26-g97962d2.tar.gz | zcat | 
git get-tar-commit-id
97962d23a14cd09874e69796b5e21167de869bd2

And given that commit ID, I'd like to confirm that the files in the tarball are 
unmodified, compared to the repository. The easiest is to simply re-export:

$ zcat qtchooser-26-g97962d2.tar.gz | git get-tar-commit-id 
97962d23a14cd09874e69796b5e21167de869bd2
$ zcat qtchooser-26-g97962d2.tar.gz | sha1sum              
a0aa581b1f5689de986ed2df4a769f1b29a7f5af  -
$ git archive --format=tar --prefix=qtchooser-26-g97962d2/ 
97962d23a14cd09874e69796b5e21167de869bd2 | sha1sum
a0aa581b1f5689de986ed2df4a769f1b29a7f5af  -

Verification complete: the archive matches the repository. I've verified 
cryptographically that the file in the server is not only unmodified, it matches 
the commit it's supposed to match.


Of course, the above assumes that git archive will not change its output in a 
new version of Git. If that happens, then we need to verify differently, such 
as:
 a) import the sources to git and confirm the tree SHA-1
     => won't work due to the presence of .gitattributes
 b) do a file-by-file blob SHA-1 comparison, verifying if no files are missing 
     (except those with export-ignore in .gitattributes) and no extra files are
     present

In general, I'd say that the export-* attributes in .gitattributes should be 
removed, to ease verification. Then we have a 1:1 match to the commit.

-- 
Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel Open Source Technology Center
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.qt-project.org/pipermail/development/attachments/20130429/7a8dbebe/attachment.sig>

More information about the Development mailing list