[darcs-users] Colin Walters blogs on Arch changesets vs Darcs
aj at azure.humbug.org.au
Thu Nov 25 17:06:15 UTC 2004
Zooko O'Whielacronx wrote:
> The security hole is because darcs can have two different patches under
> the same name and not realize that they are different patches.
So, I think this is fundamentally unavoidable -- telling whether two
patches are the same, even though ones been commuted/merged/whatever is
difficult at best; and really requires you to redo the entire
commutation/merge to know for sure.
I don't think it's much of a problem either, with one caveat. It's not a
problem, because most of the time you're pulling from people you trust
anyway; or if you don't trust them, you're verifying the code yourself
anyway. I don't see any obvious benefit in futzing around with someone
else's patch instead of just including your own.
But it would be nice to be able to ensure that you have come up with the
right thing; if you've applied patches B, A, C, F, D, E, it'd be nice to
make sure you really do have the same repository as the official "A, B,
C, D, E, F" before you apply patch G. I'd say random corruption and
darcs bugs would be a more likely cause of problems than attempted
hackers, but even so, something other than "darcs get; diff -r" would be
Hrm, although come to think of it, just dumping manifests of both
repositories and diffing those seem to do everything necessary there.
Of course, you're pretty screwed if one of the first patches in your
repository was a "darcs mv" of everything into some subdirectory that'll
never get applied upstream. Unless you're willing to amend-record that
patch every now and then to keep it as recent as possible. :-/
(This only addresses security implications, not performance or
comprehensibility of conflicts)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 155 bytes
Desc: OpenPGP digital signature
Url : http://lists.osuosl.org/pipermail/darcs-users/attachments/20041126/252a9d16/attachment.pgp
More information about the darcs-users