Enforcing usernames

Fri Jun 5 17:14:49 CDT 2009

Thomas Burdick <thomas.burdick at gmail.com> writes:

> It looks like some work has been done on this extension, I was
> wondering what still needed to be done as I actually need this!

As I remember it, then it currently more or less does what it's supposed
to do for GPG signatures. That is:

* sign changeset with GnuPG
* verify all or specified changesets
* has a hook for denying unsigned changesets

Lasse Kliemann need support for X.509 certificates as well and I think
it's a good idea to abstract things so that they aren't tied to
GnuPG/openssl/whatever. I think he's working on a design for that -- see
the other mails in this thread.

> Its important in certain legal situations where the owner of changes
> must be verifiable. Really. Cryptographic signatures solve this
> problem in a really nice way but it must be enforced on
> commit/push/pull.

I agree and can definitely understand why it might be a requirement to
have signatures on everything.

> So really, I'm more than willing to help make this little extension
> work, and work really well. It'd be great if it were included with
> mercurial at some point as well.

You should get together with Lasse and start coding :-) Fork this
repository:

  http://bitbucket.org/mg/commitsigs/

I think the feature is cool, but I'm not really needing this myself and
so I think the end result will be much better if people like you and
Lasse would drive the development.

When it is good and robust, we can talk about including it in Mercurial
for an upcoming release.

-- 
Martin Geisler

VIFF (Virtual Ideal Functionality Framework) brings easy and efficient
SMPC (Secure Multiparty Computation) to Python. See: http://viff.dk/.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://selenic.com/pipermail/mercurial/attachments/20090606/55823adb/attachment.pgp 