[Buildroot] [PATCH v3] ca-certificates: new package
Peter Korsgaard
jacmet at uclibc.org
Sun Jan 12 19:19:08 UTC 2014
>>>>> "Yann" == Yann E MORIN <yann.morin.1998 at free.fr> writes:
Hi,
>> > I guess there's no point in adding such a check for git, svn and all
>> > other VCSes. Only 'static' content wouls be elligible to being checked.
>>
>> Why not? I know git gives you strong integrity guarantees (if you use
>> the sha1 atleast), but E.G. svn doesn't.
> Because we can't guarantee the reproducibility of an archive generated
> by git archive, since at least the file's date may change, end up in the
> tarball, and thus generate a different hash, even if the 'content' of
> the archive is the same. Also, a different git version may re-order the
> files, or whatever.
Ahh, yes.
> For a VCS, maybe the list of files and their respective contents are OK,
> but we can't say anything about the generated archive.
True. If we implement it like _LICENSE, we can probably just not add
those tags for packages using git/hg/svn/..
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list