On segunda-feira, 29 de abril de 2013 18.09.14, Oswald Buddenhagen wrote: > On Mon, Apr 29, 2013 at 07:44:18AM -0700, Thiago Macieira wrote: > > On segunda-feira, 29 de abril de 2013 11.06.11, Oswald Buddenhagen wrote: > > > my current solution is entirely predictable: git builds always run > > > syncqt, while other builds never do. this makes a very clear statement: > > > if you want to modify qt (or at least its apis), use git. > > > > Please note that this is not the proposal. > > > > The proposal was to have the big packages include the headers, but the > > split source packages not have them. > > which makes no sense as far as i'm concerned. > i'll rethink my stance if you answer my questions regarding the > verification process to my satisfaction.
Can you re-state the questions? I want the source tarballs to have the Git archive embedded commit ID, so I can use git get-tar-commit-id on them. Like: $ curl -s http://macieira.org/qtchooser/qtchooser-26-g97962d2.tar.gz | zcat | git get-tar-commit-id 97962d23a14cd09874e69796b5e21167de869bd2 And given that commit ID, I'd like to confirm that the files in the tarball are unmodified, compared to the repository. The easiest is to simply re-export: $ zcat qtchooser-26-g97962d2.tar.gz | git get-tar-commit-id 97962d23a14cd09874e69796b5e21167de869bd2 $ zcat qtchooser-26-g97962d2.tar.gz | sha1sum a0aa581b1f5689de986ed2df4a769f1b29a7f5af - $ git archive --format=tar --prefix=qtchooser-26-g97962d2/ 97962d23a14cd09874e69796b5e21167de869bd2 | sha1sum a0aa581b1f5689de986ed2df4a769f1b29a7f5af - Verification complete: the archive matches the repository. I've verified cryptographically that the file in the server is not only unmodified, it matches the commit it's supposed to match. Of course, the above assumes that git archive will not change its output in a new version of Git. If that happens, then we need to verify differently, such as: a) import the sources to git and confirm the tree SHA-1 => won't work due to the presence of .gitattributes b) do a file-by-file blob SHA-1 comparison, verifying if no files are missing (except those with export-ignore in .gitattributes) and no extra files are present In general, I'd say that the export-* attributes in .gitattributes should be removed, to ease verification. Then we have a 1:1 match to the commit. -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel Open Source Technology Center
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development