> As above, hashes can be computed on the unpacked activity bundles. No > modification to the bundle format is necessary; moreover, why would you > ever rely on the correctness of a manifest supplied by the bundle > itself? >
The current manifest format hashes everything in a directory. That includes python compiled files (arguably correct, but also arguably a separate issue); any signatures or subfiles of signatures (manifests and hashes) which may be included in the future; git-related invisible files which may be on a developer's machine; and the dist/ directory, likewise. This could be a problem. A smart bundle format would, I argue, at a minimum exempt signatures and cryptographic manifest (not MANIFEST, but HASHES) from being hashed.
_______________________________________________ Devel mailing list Devel@lists.laptop.org http://lists.laptop.org/listinfo/devel