On Fri, 2013-04-26 at 20:02 +0100, Maciej Piechotka wrote: > At least on Gentoo there is partially existing infrastructure but it is > not considered superior to tarballs. The collision attack on git is > possible, especially when the build is automated[1] and presumably by > not closely watching user, while tarballs have their hash distributed by > another channel on Gentoo.
It'd certainly be possible to automate additional checksums (SHA256 say) of trees as a lookaside. Possibly even add support to git for special commit objects which have an additional checksum of the entire tree contents, recursively. > This would be problem for Vala among > others as there would be no way to bootstrap compiler except by another > Vala compiler. https://git.gnome.org/browse/vala-bootstrap gnome-ostree *always* bootstraps vala from that repository. > The same problem is for any files which are meant to not be built > (always) by user but are not kept in git - including say autotools > files. Requiring each user to run autogen would make the compilation > longer (in addition to possible errors due to changes in > autoconf/automake). A small price to pay for the gain...eventually of course, we'd hopefully have a better per-component build system than autotools that doesn't imply a huge setup hit, or at least something better than autoconf and libtool (automake is mostly OK). Anyways...dropping tarballs is not going to happen soon, but I'm happy to consider what we need to do to lay the foundations now. _______________________________________________ desktop-devel-list mailing list desktop-devel-list@gnome.org https://mail.gnome.org/mailman/listinfo/desktop-devel-list
