[Development] Qt5 combined source package - Perl dependency
Oswald Buddenhagen
oswald.buddenhagen at digia.com
Mon Apr 29 19:34:45 CEST 2013
On Mon, Apr 29, 2013 at 09:25:15AM -0700, Thiago Macieira wrote:
> On segunda-feira, 29 de abril de 2013 18.09.14, Oswald Buddenhagen wrote:
> > i'll rethink my stance if you answer my questions regarding the
> > verification process to my satisfaction.
>
> I want the source tarballs to have the Git archive embedded commit ID, so I
> can use git get-tar-commit-id on them.
>
> Like:
> $ curl -s http://macieira.org/qtchooser/qtchooser-26-g97962d2.tar.gz | zcat |
> git get-tar-commit-id
> 97962d23a14cd09874e69796b5e21167de869bd2
>
> And given that commit ID, I'd like to confirm that the files in the tarball are
> unmodified, compared to the repository. The easiest is to simply re-export:
>
> $ zcat qtchooser-26-g97962d2.tar.gz | git get-tar-commit-id
> 97962d23a14cd09874e69796b5e21167de869bd2
> $ zcat qtchooser-26-g97962d2.tar.gz | sha1sum
> a0aa581b1f5689de986ed2df4a769f1b29a7f5af -
> $ git archive --format=tar --prefix=qtchooser-26-g97962d2/
> 97962d23a14cd09874e69796b5e21167de869bd2 | sha1sum
> a0aa581b1f5689de986ed2df4a769f1b29a7f5af -
>
> Verification complete: the archive matches the repository. I've verified
> cryptographically that the file in the server is not only unmodified, it matches
> the commit it's supposed to match.
>
would it be terribly hard to add a filter step that throws out include/
(and configure.exe) when zcat-ing the archive?
on a general note, i don't quite get what the *point* of this exercise
is. to verify the archieve you actually need the git repo itself.
signing the archive seems a lot more useful to me ...
More information about the Development
mailing list