How to check an authenticity of a changeset?
Bastian Doetsch
bastian.doetsch at gmx.de
Tue Nov 11 15:47:01 CST 2008
Am Dienstag, den 11.11.2008, 23:07 +0200 schrieb Maxim Vuets:
> Folks,
>
> Mercurial wiki tells us a lot about ways of sharing a repo,
> how to set up different levels of access for various users etc.
> But it tells nothing about how to check an authenticity
> of a pushed commit. I'll try to explain what I need...
>
> I have a shared repo and, assume, 3 developers. All they
> are able to push to the repo. But some developer-1st can
> make evil changes, commit them with -u 'developer-2nd'
> and push this fake changeset to the shared repo.
> Such way all responsibility of the change now belongs to
> the innocent developer-2nd (:
>
If everyone's changesets are signed this will fail, as each changeset
will then be cryptographically signed via gpg. Have a look at hg sign -
it should help with your use case. Another way would be not to give push
access to someone you don't trust :-). And, if the second developer
spots the "faked" changeset, he/she can still push a backout changeset.
Bastian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://selenic.com/pipermail/mercurial/attachments/20081111/218f2e1f/attachment.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://selenic.com/pipermail/mercurial/attachments/20081111/218f2e1f/attachment.pgp
More information about the Mercurial
mailing list