On Tue, Nov 27, 2012 at 7:01 AM, Petr Mladek <pmla...@suse.cz> wrote: > > Or we want to make sure that people use the only single version of the > tarballs (security?, preciseness?). In this case, we might need md5sum > in git. But this is pretty non-standart solution. I think that it is too > paranoid and I am not sure if it is worth the effort having the complex > names. For example, if you want to work with the file and do not > remember md5sum, you need to search the directory to be able to write > the right name...
I do think that it is worth the effort. we do point to tarball that are not hosted directly, and we do want to detect an intrusion. If someone hack our infra and mess with the git repo... since 100's of people have a copy of the git repo we will notice a hack there... but if the md5 value is not in git itself then someone that hack the server can inject his own tarball and that would no be detected unless someone cafefully inspect the tarball or get a md5 independently of the original tarball... so there is no real point of using md5 if we are not keeping the 'value' in git itself (and no the dowload integrity check _is_ not worth it... if a download fail you usually know, and even if you do not, that rarely result in something that you can uncompress and untar without error Norbert _______________________________________________ LibreOffice mailing list LibreOffice@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/libreoffice