[darcs-users] Colin Walters blogs on Arch changesets vs Darcs

Anthony Towns aj at azure.humbug.org.au
Thu Nov 25 17:06:15 UTC 2004


Zooko O'Whielacronx wrote:
> The security hole is because darcs can have two different patches under 
> the same name and not realize that they are different patches.

So, I think this is fundamentally unavoidable -- telling whether two 
patches are the same, even though ones been commuted/merged/whatever is 
difficult at best; and really requires you to redo the entire 
commutation/merge to know for sure.

I don't think it's much of a problem either, with one caveat. It's not a 
problem, because most of the time you're pulling from people you trust 
anyway; or if you don't trust them, you're verifying the code yourself 
anyway. I don't see any obvious benefit in futzing around with someone 
else's patch instead of just including your own.

But it would be nice to be able to ensure that you have come up with the 
right thing; if you've applied patches B, A, C, F, D, E, it'd be nice to 
make sure you really do have the same repository as the official "A, B, 
C, D, E, F" before you apply patch G. I'd say random corruption and 
darcs bugs would be a more likely cause of problems than attempted 
hackers, but even so, something other than "darcs get; diff -r" would be 
nice.

Hrm, although come to think of it, just dumping manifests of both 
repositories and diffing those seem to do everything necessary there.

Of course, you're pretty screwed if one of the first patches in your 
repository was a "darcs mv" of everything into some subdirectory that'll 
never get applied upstream. Unless you're willing to amend-record that 
patch every now and then to keep it as recent as possible. :-/

(This only addresses security implications, not performance or 
comprehensibility of conflicts)

Cheers,
aj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 155 bytes
Desc: OpenPGP digital signature
Url : http://lists.osuosl.org/pipermail/darcs-users/attachments/20041126/252a9d16/attachment.pgp 


More information about the darcs-users mailing list