René Scharfe <l.s.r@xxxxxx> writes: >> The verifier has a tarball. In addition, the verifier knows the >> object name of the Git tree object the tarball was taken from, and >> somehow trusts that the object name is genuine. We can do either >> "untar + git-add . && git write-tree" or its equivalent to see how >> the contents hashes to the expected tree (or not). > ... > Right, but the tree hash does not directly allow to see which objects > are tracked or not. Ah, of course---it was silly of me to overlook this obvious fact X-<. So we do need some extra "manifest" to declare what's untracked etc., if we allow --add-file etc. to munge the tree when creating a tarball out of it.
