[darcs-users] Access control

zooko at zooko.com zooko at zooko.com
Mon May 9 17:54:52 UTC 2005 

> In the centralised setup, Darcs reduces that to just one level: it
> uses Unix accounts.  In the distributed setting, Darcs uses GPG keys
> to identify users.  In either case, there is no account management
> within Darcs, Darcs is just obeying external account managers.
> 
> I find it paradoxical (but understandable) that you find CVS' extra
> level of bureaucracy easier to manage than Darcs' model.

Unix accounts don't lend themselves to the Principle of Least Authority -- it
isn't easy to make a unix account that can access a specific repo through
darcs, but do nothing else, much less one which can read a repo but not write
to it, or apply but not unpull, ...

GPG keys have the same inconvenience, plus more!  One of the added
inconveniences is indicated by the way that you described GPG keys -- "to
identify users".  This emphasizes a tangential problem -- identifying users --
rather than the original problem of controlling access.

By way of comparison, imagine if giving people Unix accounts was considered to
be primarily an issue of identifying users.  There would be lots of culture
and tool support for things like verifying a user's identity face-to-face
before giving him a Unix account, cross-checking the identities of users who
have accounts on machines controlled by different sysadmins, expiring the
access privileges of users who haven't re-verified recently enough, and so
forth.  The original issue of controlling which Unix accounts can do what to
which darcs repo would be an afterthought with little culture, documentation,
or tools to explain how to do it.  So it is (circa 2005) with GPG keys.

I've exchanged darcs patches with many people, perhaps a dozen, over the last
couple of years.  Mostly this was by pulling from them over insecure HTTP, in
other cases this was accomplished by creating Unix accounts and giving them
the password over insecure phone, VoIP, IRC, or e-mail.  Never have I used GPG
(successfully).

Strange that giving someone a complete user account with interactive remote
access is easier than securely receiving a patch from them.  Sigh.

Regards,

Zooko

More information about the darcs-users mailing list