Skip to content
Snippets Groups Projects

Draft: use tarballs instead of git clone in contribs

Open Romain Vimont requested to merge rom1v/vlc:contrib_archive into master

Some contribs are downloaded using a simple git clone.

A local .tar.xz is created locally, and the checksum of this local archive was used in the past, but the actual content may depend on a specific git/tar/xz version, so the check was removed by !6161 (merged).

As a result, the source is now only authenticated by the commit SHA-1 instead of a SHA-512 of the archive. Moreover, a contrib can use a "short hash", for example TREMOR_HASH := b56ffce0. If the tremor repository gets compromised, it is trivial to generate a new commit with the same hash.

Since a .tar.gz is always available (AFAIK), I suggest to always use tarballs, and remove download_git in the end.

For now, I just changed x264 and tremor (and removed dead code for x265). If you agree, I can change the 9 remaining contribs using download_git. Some contribs are downloaded using a simple git clone.

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Loading
  • Loading
  • Loading
  • Loading
Please register or sign in to reply
Loading