[Development] Qt5 combined source package - Perl dependency
Oswald Buddenhagen
oswald.buddenhagen at digia.com
Tue Apr 30 11:00:11 CEST 2013
On Mon, Apr 29, 2013 at 11:25:14AM -0700, Thiago Macieira wrote:
> Adding a random file somewhere *usually* isn't a problem. It is a problem only
> if the presence of a file changes the output of the build. And that's exactly
> what configure.exe and the include/ dir do: they change the output. It's not
> possible to cryptographically verify them. [...]
>
> You're going to say: why don't security-conscious people download from Git? I
> would say that they should. But some people may not be able to access our Git
> servers from their networks.
>
even adding these together, i don't see any problem. the ultra-paranoid
ones can simply delete include/ (and configure.exe) from the extracted
source tree, and thus start as if they got the sources from git (as
projected now, they'd need a "git init" to trick the build system into
believing it's a real git build. that could be rectified by adding a
-git-build option to configure).
More information about the Development
mailing list