[Development] Qt5 combined source package - Perl dependency
Thiago Macieira
thiago.macieira at intel.com
Tue Apr 30 17:12:36 CEST 2013
On terça-feira, 30 de abril de 2013 11.00.11, Oswald Buddenhagen wrote:
> On Mon, Apr 29, 2013 at 11:25:14AM -0700, Thiago Macieira wrote:
> > Adding a random file somewhere *usually* isn't a problem. It is a problem
> > only if the presence of a file changes the output of the build. And
> > that's exactly what configure.exe and the include/ dir do: they change
> > the output. It's not possible to cryptographically verify them. [...]
> >
> > You're going to say: why don't security-conscious people download from
> > Git? I would say that they should. But some people may not be able to
> > access our Git servers from their networks.
>
> even adding these together, i don't see any problem. the ultra-paranoid
> ones can simply delete include/ (and configure.exe) from the extracted
> source tree,
They have to know that those exist in the first place and should be deleted.
And then their build breaks, right now.
> and thus start as if they got the sources from git (as
> projected now, they'd need a "git init" to trick the build system into
> believing it's a real git build. that could be rectified by adding a
> -git-build option to configure).
Can we do it somehow less magically? Isn't there a way to do it if it needs to
be done, and not do it if it doesn't need to be done?
This brings memories of the old LICENSE.TROLL file...
--
Thiago Macieira - thiago.macieira (AT) intel.com
Software Architect - Intel Open Source Technology Center
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.qt-project.org/pipermail/development/attachments/20130430/22507056/attachment.sig>
More information about the Development
mailing list