[vlc-commits] contrib: use git-archive and save the hash

Rémi Denis-Courmont git at videolan.org
Mon Feb 20 21:10:28 CET 2017 

vlc | branch: master | Rémi Denis-Courmont <remi at remlab.net> | Mon Feb 20 22:01:25 2017 +0200| [8fe4168947dd6cabd2aabb84cebc9aa6148e5d43] | committer: Rémi Denis-Courmont

contrib: use git-archive and save the hash

git-archive is supposed to validate the git repository to match the
git hash, and the git hash itself is supposed to be cryptographically
secure. So we if save it, we can reuse it to check the tarball.

Note: Alternatively, we could rely on git-archive making reproducible
tarballs, which it indeed does, then perform a regular hash of the
decompressed tarball. It is however unclear if git-archive tarballs are
reproducible *across* Git versions, which could lead to problems.

Note 2: This still requires a head to fetch from. In principles,
fetching a hash directly is possible, but not all servers allow it.

> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=8fe4168947dd6cabd2aabb84cebc9aa6148e5d43
---

 contrib/src/main.mak | 30 +++++++++++++++++++++++-------
 1 file changed, 23 insertions(+), 7 deletions(-)

diff --git a/contrib/src/main.mak b/contrib/src/main.mak
index 9461a6c..6d95f56 100644
--- a/contrib/src/main.mak
+++ b/contrib/src/main.mak
@@ -252,6 +252,12 @@ else
 XZCAT ?= $(error xz and lzma client not found!)
 endif
 
+ifeq ($(shell which xz >/dev/null 2>&1 || echo FAIL),)
+XZ = xz
+else
+XZ ?= $(error XZ (LZMA) compressor not found!)
+endif
+
 ifeq ($(shell which bzcat >/dev/null 2>&1 || echo FAIL),)
 BZCAT = bzcat
 else
@@ -317,13 +323,23 @@ HOSTVARS_PIC := $(HOSTTOOLS) \
 	LDFLAGS="$(LDFLAGS)"
 
 download_git = \
-	rm -Rf $(@:.tar.xz=) && \
-	$(GIT) clone $(subst HEAD, --depth 1,$(findstring HEAD, $3)) $(2:%=--branch %) $(1) $(@:.tar.xz=) && \
-	(cd $(@:.tar.xz=) && $(GIT) checkout $(3:%= %)) && \
-	rm -Rf $(@:%.tar.xz=%)/.git && \
-	(cd $(dir $@) && \
-	tar cvJ $(notdir $(@:.tar.xz=))) > $@ && \
-	rm -Rf $(@:.tar.xz=)
+	rm -Rf -- "$(@:.tar.xz=)" && \
+	$(GIT) init --bare "$(@:.tar.xz=)" && \
+	(cd "$(@:.tar.xz=)" && \
+	$(GIT) remote add origin "$(1)" && \
+	$(GIT) fetch origin "$(2)") && \
+	(cd "$(@:.tar.xz=)" && \
+	$(GIT) archive --prefix="$(notdir $(@:.tar.xz=))" \
+		--format=tar "$(3)") > "$(@:.xz=)" && \
+	echo "$(3) $(@)" > "$(@:.tar.xz=.githash)" && \
+	rm -Rf -- "$(@:.tar.xz)" && \
+	$(XZ) --stdout "$(@:.xz=)" > "$@.tmp" && \
+	mv -f -- "$@.tmp" "$@"
+check_githash = \
+	h=`sed -n -e "s,^\([0-9a-fA-F]\{40\}\) $<,\1,p" \
+		< "$(<:.tar.xz=.githash)"` && \
+	test "$$h" = "$1"
+
 checksum = \
 	$(foreach f,$(filter $(TARBALLS)/%,$^), \
 		grep -- " $(f:$(TARBALLS)/%=%)$$" \

More information about the vlc-commits mailing list