Dealing with circular BuildRequires?
tmz at pobox.com
Fri Oct 7 19:38:04 UTC 2011
Jesse Keating wrote:
> On Oct 7, 2011, at 8:21 AM, Till Maas wrote:
>> On Fri, Oct 07, 2011 at 07:53:25AM -0700, Jesse Keating wrote:
>>> Might have gone quicker if you pull via git:// and then only push
>>> via ssh:// reducing your ssh handshakes by half.
>> How do you ensure the integrity of the git repo if it is pulled via
>> git://? As far as I can see doing this automatically is an invitation to
>> perform man-in-the-middle attacks.
> Sure that's a risk. It'd take a fairly sophisticated attach to take
> advantage of it, but yes, it's a risk. Strikes me as easier to just
> fake your way into the packager group and upload your bad-bits that
> way. Everything is a balance between risk and performance.
For anyone that wanted a bit of both, you could pull via git and then
verify the hash of the branches before you you used them. It's quick
to use git ls-remote to get that information over ssh, for one branch,
or just heads, or whatever.
[tmz at panaeolus git (master)]$ git ls-remote ssh://pkgs.fedoraproject.org/git master
[tmz at panaeolus git (master)]$ git for-each-ref refs/remotes/origin/master
f8faec03bd41627fb60e26004b1727d30fabe94a commit refs/remotes/origin/master
Or just using cat:
[tmz at panaeolus git (master)]$ cat .git/refs/remotes/origin/master
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
Religion. A daughter of Hope and Fear, explaining to Ignorance the
nature of the Unknowable.
-- Ambrose Bierce, The Enlarged Devil's Dictionary, 1906
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 543 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20111007/d673d6fc/attachment.bin
More information about the devel