On Mon, Apr 29, 2013 at 09:25:15AM -0700, Thiago Macieira wrote: > On segunda-feira, 29 de abril de 2013 18.09.14, Oswald Buddenhagen wrote: > > i'll rethink my stance if you answer my questions regarding the > > verification process to my satisfaction. > > I want the source tarballs to have the Git archive embedded commit ID, so I > can use git get-tar-commit-id on them. > > Like: > $ curl -s http://macieira.org/qtchooser/qtchooser-26-g97962d2.tar.gz | zcat | > git get-tar-commit-id > 97962d23a14cd09874e69796b5e21167de869bd2 > > And given that commit ID, I'd like to confirm that the files in the tarball > are > unmodified, compared to the repository. The easiest is to simply re-export: > > $ zcat qtchooser-26-g97962d2.tar.gz | git get-tar-commit-id > 97962d23a14cd09874e69796b5e21167de869bd2 > $ zcat qtchooser-26-g97962d2.tar.gz | sha1sum > a0aa581b1f5689de986ed2df4a769f1b29a7f5af - > $ git archive --format=tar --prefix=qtchooser-26-g97962d2/ > 97962d23a14cd09874e69796b5e21167de869bd2 | sha1sum > a0aa581b1f5689de986ed2df4a769f1b29a7f5af - > > Verification complete: the archive matches the repository. I've verified > cryptographically that the file in the server is not only unmodified, it > matches > the commit it's supposed to match. > would it be terribly hard to add a filter step that throws out include/ (and configure.exe) when zcat-ing the archive?
on a general note, i don't quite get what the *point* of this exercise is. to verify the archieve you actually need the git repo itself. signing the archive seems a lot more useful to me ... _______________________________________________ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
