> We're not talking code changes here, but purely a data request
You are right. My comment was a bit offroad, I could have made that clearer (about how to deal with "data" (code, ...) in international context)
> I think it'd be quite hard construct that in a truly "safe" way.
For open source code it is easy - everyone sees teh chnages and why they've been promoted.
For closed source, having your source at a third party (or synchronized), build from only the identical code (between the two repositories), and enforce a two-eyes kind of code promotion (merge) will make it so that any change in the code that is not vetted by both parties (or multiple parties) will not get built.
I gave the example of Truecrypt that was unfortunately US-only and they had to revert to allusions in order to inform that it was tempered with.
You are right. My comment was a bit offroad, I could have made that clearer (about how to deal with "data" (code, ...) in international context)
> I think it'd be quite hard construct that in a truly "safe" way.
For open source code it is easy - everyone sees teh chnages and why they've been promoted.
For closed source, having your source at a third party (or synchronized), build from only the identical code (between the two repositories), and enforce a two-eyes kind of code promotion (merge) will make it so that any change in the code that is not vetted by both parties (or multiple parties) will not get built.
I gave the example of Truecrypt that was unfortunately US-only and they had to revert to allusions in order to inform that it was tempered with.