On Sat, 07 Mar 2015 at 15:46:41, John Keeping wrote: > This requires that we save the downloaded file explicitly rather than > piping it straight to tar, but that is advisable anyway since it allows > us to check the exit status of curl and make sure that we have > downloaded the file successfully. > > Also add a test to make sure we don't forget to update the file when > updating our Git version in the future. > > Signed-off-by: John Keeping <j...@keeping.me.uk> > --- > Makefile | 8 ++++++-- > git.sha256sum | 1 + > tests/t0001-validate-git-versions.sh | 11 +++++++++++ > 3 files changed, 18 insertions(+), 2 deletions(-) > create mode 100644 git.sha256sum > [...]
I like the idea, however, sha256sum is not available on all platforms. This breaks `make get-git` under OpenBSD, for example (OpenBSD has a utility called sha256 with a different command line interface). Maybe we can make the check optional, though? On a related note, can we download a signature and use `gpg --verify` instead (should probably be optional as well, to avoid a dependency on GnuPG)? _______________________________________________ CGit mailing list CGit@lists.zx2c4.com http://lists.zx2c4.com/mailman/listinfo/cgit
