Proving ownership of code with mercurial?

Francesc Esplugas francesc.esplugas at gmail.com
Wed Jan 2 03:44:21 CST 2008 

I've been working on a project during three months and as I work  
freelance they say I only worked the first 6 weeks. Everything is  
under Mercurial with daily changesets (and these changesets contain  
data). The repo distributed in a few machines, but I keep the master.

I know all the work that I've made, and I've printed the list of  
changesets, so I can explain my client all the work, but they might  
say I've changed the repos to reflect this "log history".

The question should be ... should I trust the repos? In a Git  
conference Linus Torvals talked about the security of Git, about  
trust. He can know if someone has hacked the repository ... bla bla  
bla ... so the idea would be to show to my client, that the repos  
hasn't changed and that he can trust it ...

Francesc

On Jan 2, 2008, at 10:32 AM, Peter Arrenbrecht wrote:

> On Jan 2, 2008 9:34 AM, Dustin Sallings <dustin at spy.net> wrote:
>>
>> On Jan 1, 2008, at 23:59, Francesc Esplugas wrote:
>>
>>> I want to prove all the work I've done. I understand some of my code
>>> can be a copy and paste from other projects or other developers, but
>>> the idea is to prove I've been working on the project.
>>>
>>> Proving the integrity (hg verify) of the repository, could prove
>>> nobody hacked it?
>>
>>
>>        If you can update to a version whose ancestry includes your  
>> changes,
>> then those changes are there.  Anyone who's cloned the tree would
>> notice if you tried to rewrite history somewhere and pass it off as
>> their upstream.
>>
>>        Sounds like you might be fighting an uphill battle, though.   
>> Good luck.
>
> Key point: If no one ever cloned your repo, then the repo's integrity
> won't help you. It is easy to create a brand new repo with backdated
> history. And if the repo contains only your changes (not interleaved
> with changes by others), you would need the other party to have
> demonstrably old clones which show your changes really are as old as
> you claim.
>
> But, as someone noted before, this is about who has to prove what. So:
> what exactly do you want to prove? Time spent? Goals achieved? Lines
> of code contributed? What?
>
> And why do you feel you need to prove this? If they claim you
> reattributed changes done by others to yourself, where are those
> others? What grounds have they for making the claim? If they claim the
> result is not worth 3 months' time, then the repo should show the
> evolution of the result, which might show otherwise. But this does not
> hinge on the repo's integrity.
>
> -peter

--
name. Francesc Esplugas i Martí
voice. +34 678.681.603

More information about the Mercurial mailing list