f0rt

The request is specific for packing NSIS for Debian Linux. The linter of Debian (lintian) suggests to verify the upstream tarball using a cryptographic signature (https://udd.debian.org/lintian-tag/debian-watch-does-not-check-openpgp-signature). So there would be a file named https://sf.net/nsis/nsis-3.11-src.tar.bz2.asc containing the OpenPGP signature (result of signing released source code tarball) provided next to the released source code tarball https://sf.net/nsis/nsis-3.11-src.tar.bz2. Illustrated...

The request is specific for packing NSIS for Debian Linux. The linter of Debian (lintian) suggests to verify the upstream tarball using a cryptographic signature (https://udd.debian.org/lintian-tag/debian-watch-does-not-check-openpgp-signature). So there would be a file named https://sf.net/nsis/nsis-3.11-src.tar.bz2,asc containing the OpenPGP signature (result of signing released source code tarball) provided next to the released source code tarball https://sf.net/nsis/nsis-3.11-src.tar.bz2. Illustrated...

The SHA1 hash provides some protection but does not enable to check that no third party changes occurred after its release.

Thanks for the feedback. I read the latest changelog of nsisbi. It states "Solid compression is not supported with big installers". So it looks to me that nsisbi would not help in case of solid compression.

Unable to generate a solid compressed installer when size of installed files exceeds 2 GiB

Fix fprintf format security warnings for halibut

Thanks a lot for your explanation. I am going to give the idea of overriding CC adn CXX more thought. Currently there is no need to override CC and CXX. scons picks up the installed GNU C and C++ compiler (symbolic link named as the respective compiler pointing to the ccache executable). For example the following command line is used to build the makensis compiler scons APPEND_CCFLAGS="-Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -fdebug-prefix-map=/builds/debian/nsis/debian/output/nsis-3.06.1=. -fstack-protector-strong...

Your proposal to propagate the CCACHE_DIR environment variable via the command line argument CC="CACHE_DIR=/tmp/whatever ccache" seems to work. I assume the same has to be done for CXX and for the cross compilers (i686-w64-mingw32-gcc, i686-w64-mingw32-g++). This feels more like a workaround than a solution. main.c int main(int argc, char *argv[]) { return 42; } SConstruct defenv = DefaultEnvironment() Export('defenv') opts = Variables() opts.Add(('CC', 'Override C compiler', None)) opts.Update(defenv)...