[darcs-users] Security
Bennett Todd
bet at rahul.net
Tue Dec 28 16:28:33 UTC 2004
2004-12-28T16:15:45 David Roundy:
> The basic idea is two-staged. First we need to add checksums
> to the inventory files, probably by adding a second alternate
> inventory file, for backwards compatibility. Then we add a
> mechanism for signing the inventory files, which is now sufficient
> to verify the entire repository.
Very cool.
If you extended that just a wee bit more, allowing multiple checksum
inventory files, each of which can be separately signed, one per
author, then you could have repos built from patches contributed,
and signed, by different folks, which could be robustly validated
with a keyring for all the contributors. No?
Or hmm. Would it suffice to do something outside of darcs, like
signing every patch in the repo, separately, with a detached sig
that's just carried along in the top dir, not managed by darcs? Then
some external tooling could periodically validate (check sigs on) a
whole repo, and it'd be easy to validate patches as they came in.
-Bennett
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.osuosl.org/pipermail/darcs-users/attachments/20041228/a899f43f/attachment.pgp
More information about the darcs-users
mailing list