David Dalcino
David Dalcino
> I think it worth squashing commits to merge. Ok. I've re-ordered and squashed about half of these commits, and I think it's worthwhile to preserve the remaining history. I'm...
I think this is a graph traversal problem. Each `` that you install contains a list of dependencies in the `` xml tag. You need to find the Updates.xml file...
Thanks for letting us know about the lack of sha256 hashes on the mirrors. IMHO, we should be very careful about allowing aqt to use sha1 or md5 hashes in...
There are other potential solutions to this problem, other than using insecure checksums. We could host our own copies of the expected sha256 checksums here on Github, and use our...
Last night I tried to install qt 6.4.0 in CI, but the job failed because there’s no sha256 hashes for any of the files in that directory, on the download.qt.io...
Quick update on the sha256 situation: There are now sha256 hashes available for Qt 6.4.0. The CI job that I observed as failing (due to missing hash) now passes: https://dev.azure.com/miurahr/github/_build/results?buildId=5742&view=logs&j=b86c6ba8-325a-58b4-9c91-e9a8f44b4793
> I'm not security expert but I don't see a problem here. Even if attacker creates a hash collision, that "malicious" copy will contain a garbage, so no code can...
No, the mirrors are fine, as long as the binaries they host match the sha256 hashes hosted on download.qt.io. It’s relatively easy to fake a sha1 hash, and extremely difficult...
Maybe it's too early to go up to MacOS-12 yet: [this ios build](https://dev.azure.com/miurahr/github/_build/results?buildId=5480&view=logs&jobId=bae13455-f657-522d-e2b4-64495419fb63&j=1ea727ed-2050-5877-9d96-adddb35f7943&t=b67eabc5-7e7e-54c5-0f88-bc35772ccffe) failed, because there's a file at `Qt/6.2.2/ios/mkspecs/features/uikit/devices.py` that specifies that it must be run with `/usr/bin/python` in...
Ok, I don't know why the ios builds are using a "legacy build system" in CI, but until we figure out how to use the "new build system", our ios...