On Fri, Apr 26, 2013 at 10:00:42AM +0000, Anttila Janne wrote:
> Qt-Project now provides split source packages, the split packages
> do not and should not have syncqt executed. Thus they would make
> it possible to cryptographically verify that the sources match
> exactly the repository with no modifications.
>
i don't see how the presence of additional files (which are all listed
in .gitignore) prevents cryptographic verification in the first place.
obviously the additional files need to be signed as well, but the
archive as a whole needs signing anyway, as nobody would verify just the
git tree sha1 (how to even do that without creating a git repo out of
the unpacked sources?).
_______________________________________________
Development mailing list
Development@qt-project.org
http://lists.qt-project.org/mailman/listinfo/development
