Draft: use tarballs instead of git clone in contribs (!6736) · Merge requests · VideoLAN / VLC

Romain Vimont requested to merge rom1v/vlc:contrib_archive into master Jan 24, 2025

Some contribs are downloaded using a simple git clone.

A local .tar.xz is created locally, and the checksum of this local archive was used in the past, but the actual content may depend on a specific git/tar/xz version, so the check was removed by !6161 (merged).

As a result, the source is now only authenticated by the commit SHA-1 instead of a SHA-512 of the archive. Moreover, a contrib can use a "short hash", for example TREMOR_HASH := b56ffce0. If the tremor repository gets compromised, it is trivial to generate a new commit with the same hash.

Since a .tar.gz is always available (AFAIK), I suggest to always use tarballs, and remove download_git in the end.

For now, I just changed x264 and tremor (and removed dead code for x265). If you agree, I can change the 9 remaining contribs using download_git. Some contribs are downloaded using a simple git clone.

Draft: use tarballs instead of git clone in contribs

Merge request reports