User masquerading - audit trail?

Kurt Granroth kurt.mercurial at granroth.com
Sat Oct 4 17:54:19 CDT 2008 

Mark A. Flacy wrote:
> On 10/04/2008 02:57:54 PM, Kurt Granroth wrote:
>> Yes, but the user has that ultimate control only at the local level.   
>> I can get the mercurial repo locally and make a holy mess in it... but
>> eventually, if I try to push it back to the central repository, all  
>> that is for naught.  I still have to authenticate in order to push and so  
>> the central server *does* know who I am, regardless of who I'm claiming  
>> to be.
> 
> There is no guarantee there is a "central repository".
> 
> None.
> 
> Any conclusions that you draw with such an assumption will be suspect.

That's true only in the abstract realm of DVCS theory.  In reality,
every publicly available project MUST adhere to the concept of a central
repository.  It's not only possible, it's unavoidable.

Say I create a new project called CoolApp that I put out under some OSS
license.  I decide that I'm going to be a DVCS purist and not have
anything resembling a central repository.  I then publish my working
repository via hg.coolapp.org.  Lots of people like the app and they
clone it to sharedhost.org/~user/coolapp and coolappcopy.org/hg and a
bunch of others.  Some of those are further cloned into other working
copies.  People start making changes to CoolApp.  Where to push the
change?  Maybe to the repo that they cloned?  And then maybe that repo
pushes it to its parent?

Eventually, you'll come to one of those scenarios.  Either every change
is aggregated up to your repo which makes it a defacto central repo OR
the changes are scattered among a bunch of other repos.

Now along comes a user that doesn't want to develop CoolApp, she just
wants to use it.  Where does she get it from?  My repo isn't the central
one so she can't get it from me...

Really, the only way that a DVCS can operate without a defacto central
repo is for one way code (release it under public domain and never care
what happens to it) or code that's kept within a small team.  I
challenge you to find even *one* public project that uses a DVCS (hg,
darcs, bazaar, git, arch, whatever) that doesn't have any sort of
central repo.

And that's OSS projects... corporate projects are even MORE trivially
easy to have an enforce a central repo.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 257 bytes
Desc: OpenPGP digital signature
Url : http://selenic.com/pipermail/mercurial/attachments/20081004/39a736b9/attachment.pgp

More information about the Mercurial mailing list