[darcs-users] Re: signing of patches

David Roundy droundy at abridgegame.org
Tue Dec 7 12:41:50 UTC 2004


On Tue, Dec 07, 2004 at 01:18:29PM +0100, Karel Gardas wrote:
> seeing complexity of dealing with signed patches in darcs, I'm more and
> more inclined to use as simple as possible model which should be enough
> for near future and which should be 100% compatible with current darcs,
> i.e. no intrusive darcs repository changes. Thinking about this, I would
> like to get back to my most simple proposal which is (described as shell
> script) below. IMHO something like that is very simple, compatible with
> current darcs, secure and allow us to think about more general and/or
> complex solution for future darcs version(s). Limitations are:
> single-commiter repositories only (in untrusted domain), rsync usage for
> push to untrusted domain. Of course we should use sha1 instead of md5 used
> in script below and we probably don't need to check for prefs changes
> neither...
> 
> What do you think? Especially what do you think about this model
> limitations?

Well, just signing a checksum of everything is definitely the simple way to
go, and except that you need to resign every time you push, pull or record
is a good solution.  The simplicity of the script is a bit much, since it
includes hashes of files that aren't in the repository (e.g. unrecorded
patches), but on the other hand, this doesn't hurt anything, as long as the
verification script doesn't require that all files included in the security
context exist.  I think also, I'd leave out the prefs directory, since that
is intended to vary from repository to repository.

If you include the signed security-context in the repository... no, you
can't include it in the repository, since that would introduce an
interesting chicken and egg problem.

In any case, this might be a scenario where hooks to call external commands
before and after darcs is run would be helpful.  You could perhaps write a
post-hook to sign the repository (i.e. generate the security-context) on
one machine, and a post-hook on the consumer machine to verify the
correctness of the signature (e.g. after pulling).
-- 
David Roundy
http://www.darcs.net




More information about the darcs-users mailing list