Improving support for signed revisions

Lasse Kliemann lasse-list-mercurial-2009 at mail.plastictree.net
Wed May 6 09:38:54 CDT 2009 

Greetings,

is the GPG extension used by many? In which way are people using 
it? Being a long-time subversion user, I got used to trust the 
commit log to display the "correct" user names, i.e., when it 
says that revision X was committed by user A, then I can be sure 
that it was in fact committed by the person that I associate with 
name A (as long as the admin for the central repository shares my 
association). I already elaborated on this in another post, which 
unfortunately got no replies yet:

https://lists.berlios.de/pipermail/better-scm-discuss/2009-May/000051.html

Now, to achieve the same thing in destributed systems, 
cryptographic signatures must be used. Mercurial has an extension 
for this, but it looks to me being in a rather early stage of 
development. That's why I ask who's using it and in which way. 

I find the following unsatisfactory about the current 
implementation of cryptographic signatures for Mercurial:

- A signature seems to generate a revision of its own, stating 
  which other revision is signed by it. This does not exactly 
  make commit logs easier to read. Instead, I'd like to have this 
  information diplayed directly with the signed revision.
  This could be achieved by an external tool which filters the 
  commit log and maps signatures to their revision. However, I 
  feel that an integrated solution would be better.

- The commit log does not show which signatures are valid. There 
  is even no way to validate all existing signatures, only the 
  'sigcheck' command that validates a single signature. One 
  could write an external tool to check all signatures. However, 
  I feel that an integrated solution would be better.

- For my goals of being able to trust each and every user name in 
  the logs, each and every revision has to be signed. There seems 
  to be no way currently to automatically sign all revisions.

Any suggestions? Any plans to improve the GPG support in 
Mercurial in the near future? I'd be happy to participate in a 
design discussion.

Kind regards,
Lasse
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
Url : http://selenic.com/pipermail/mercurial/attachments/20090506/750a3b5f/attachment.pgp

More information about the Mercurial mailing list