Improving support for signed revisions
Lasse Kliemann
lasse-list-mercurial-2009 at mail.plastictree.net
Sat May 9 06:53:57 CDT 2009
* Message by -Lasse Kliemann- from Thu 2009-05-07:
> The desire to mark certain revisions as trustworthy gives
> motivation for providing as many signatures as possible, in the
> best case for each revision. He who wishes to provide a signature
> for signalling trustworthiness might have a much easier job if he
> can trust certain committers *and* he can trust that a commit
> allegedly made by one of these trusted committers was in fact
> made by that trusted committer.
>
> I wonder how one could otherwise make sure that a revision is
> trustworthiness, unless one *in* *detail* (e.g., by looking at
> all the diffs, line by line) checks each and every commit made
> since the last trustworthiness signature.
To put it another way: without some crypto sig on each revision,
it is even impossible to tell whether two revisions were made by
the same person. The 'user:' entry for a revision is similar to
the 'From:' header in an e-mail: the sender can put anything
there, claiming to be anyone else.
This might be irrelevant for a project with a handful of
developers that know each other personally. But it *is* an issue
in several other cases.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
Url : http://selenic.com/pipermail/mercurial/attachments/20090509/8d033820/attachment.pgp
More information about the Mercurial
mailing list