[Python-Dev] python-checkins
Dirkjan Ochtman
dirkjan at ochtman.nl
Tue Jul 13 22:45:53 CEST 2010
This is getting a little off-topic, but let me just respond to this...
On Tue, Jul 13, 2010 at 22:10, Barry Warsaw <barry at python.org> wrote:
> Does Mercurial have a similar feature? If so, I would suggest that we enable
> that and require committers to use registered gpg keys to sign their commits.
> We'd always have a verifiable chain back to a responsible party, and
> committers would be responsible for any changes or patches they merge on
> behalf of others. IME the overhead is pretty trivial, but then I'm quite
> comfortable with gpg concepts and tools.
I wrote something on Stack Overflow about this today, which I reproduce here:
- You could verify that whoever is pushing the cset is also the
committer (by matching http or ssh authentication). This is somewhat
limiting because it can be useful when people push other developer's
changesets.
- You could use the pgp extension (from hgext) to explicitly sign
changesets after committing, but it's kind of a drag if you want to do
it for every changeset. In Mercurial, we only do this for releases.
- http://bitbucket.org/mg/commitsigs is another extension, which takes
a different tack to signing (I believe it doesn't sign the commit
metadata, only the file tree, which lets it sign before the commit is
finished, meaning it doesn't take up an extra cset).
- Mozilla uses a pushlog which just tracks who pushed what. This lets
you look in the commit history on the server (but only there) to see
who pushed what group of changesets, giving you a better paper trail
than you normally get. This can also be provided by changegroup
notifications, if you include the guy who did the push in the email
(this is what Python will do once their conversion is done).
Note that, if you're going to require that each cset is signed, each
non-committer contributor also has to have this facility, which IMO
raises the bar significantly. I think I added the pushing user to the
commit mails to provide just this kind of paper trail. Given the
tamper-proofness of the SHA1 changeset ID's (and yes, hg will move to
some newer hash algorithm at some point before SHA1 becomes too easy
to crack), I don't think signing each cset adds much value.
Cheers,
Dirkjan
More information about the Python-Dev
mailing list