Signing revisions in place

[Jens Alfke]

On 3 Oct '07, at 11:57 AM, Dustin Sallings wrote:

>  I like the idea of signing tags quite a bit.

That's also useful, agreed, and it's more like the way the gpg  
extension works. I'm not sure quite how a tag is implemented — is it  
similar to a child revision, under the hood? If so, the same technique  
I proposed would apply.

>  gnu arch allowed one to sign each revision.  I'm not sure if that's  
> generally valuable here

I think it is; the more so, the more paranoid you are :) or if the  
project belongs to an organization that wants to know exactly who  
commits (or to restrict who can commit into important repositories.)  
There have also been cases where open-source projects were compromised  
by maliciously-introduced changes that opened security holes; I  
remember cases of this in both WordPress and the Linux kernel.  
Signatures can make it possible to guard against that.

> but if one could be confident in a signature on a revision hash, and  
> confident that the correct tree could be generated from that hash, I  
> think the solution is pretty solid.

The manifest hash identifies every file, its contents and ancestry.  
SHA-1 isn't the best hash out there, but it's still considered "pretty  
good", and used for a lot of secure systems.

Generating the tree from a hash is impossible, though. Hashes are by  
design one-way, and in any case the hash only holds 160 bits of  
information, which is orders of magnitude smaller than any source  
tree! But of course one can verify the authenticity of a revision from  
an authenticated manifest hash.

--Jens
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://selenic.com/pipermail/mercurial/attachments/20071003/bad6794e/attachment.htm