On terça-feira, 30 de abril de 2013 11.00.11, Oswald Buddenhagen wrote: > On Mon, Apr 29, 2013 at 11:25:14AM -0700, Thiago Macieira wrote: > > Adding a random file somewhere *usually* isn't a problem. It is a problem > > only if the presence of a file changes the output of the build. And > > that's exactly what configure.exe and the include/ dir do: they change > > the output. It's not possible to cryptographically verify them. [...] > > > > You're going to say: why don't security-conscious people download from > > Git? I would say that they should. But some people may not be able to > > access our Git servers from their networks. > > even adding these together, i don't see any problem. the ultra-paranoid > ones can simply delete include/ (and configure.exe) from the extracted > source tree,
They have to know that those exist in the first place and should be deleted. And then their build breaks, right now. > and thus start as if they got the sources from git (as > projected now, they'd need a "git init" to trick the build system into > believing it's a real git build. that could be rectified by adding a > -git-build option to configure). Can we do it somehow less magically? Isn't there a way to do it if it needs to be done, and not do it if it doesn't need to be done? This brings memories of the old LICENSE.TROLL file... -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel Open Source Technology Center
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development