[darcs-users] [darcs-devel] [issue992] short secure version identifiers
Zooko Wilcox-O'Hearn
zooko at zooko.com
Tue Jun 23 17:28:56 UTC 2009
Hello folks, this issue is biting me again (that is: it is
frustrating my programming partner Brian again), so I looked at the
ticket and I finally read Nathaniel W. Filardo's proposal carefully:
http://bugs.darcs.net/issue992 # short, secure, fast version identifiers
> Since presumably "short, secure version identifiers" are meant to
> be a reference to a configuration that somebody else built, not
> some arbitrary subset of patches in the pool, would it suffice to
> have darcs {record,push,pull,show version,...} create a context
> file for the new configuraton by default?
>
> If darcs stored these in _darcs/contexts/${HASH} using some baseN
> encoding, then they are
Do you mean ${HASH} is the hash of the context file?
Then I think your proposal is very good -- strictly better than the
kludgy workaround that I have started (http://allmydata.org/trac/
darcsver/ticket/3 ), because yours actually allows an easy way to
*fetch* that version. Yes, please!
I also read David Roundy's follow-up which criticized your approach
and I don't agree. He said:
1. It isn't secure.
I'm not sure exactly what that means here, but I don't care. Please
give me what you got and we can work on improving security later.
2. You can't generate an identifier on a private repository.
I don't understand this either. You can't *use* an identifier that
was generated in a private repository to fetch the corresponding
code, to be sure. That's what it means for the repository to be
private. But you can generate and distribute such identifiers, and
people can use them by comparing them to other identifiers.
3. You can just use the hash of the most recent patch.
Definitely not. That won't satisfy Brian because it feels too
fragile -- what if the repository gets re-ordered or if one of the
patches gets obliterated. That's close to what we are currently
doing (taking the count of patches), and it isn't good enough.
So, Nathaniel, please update your patch to current darcs, and darcs
hackers, please consider accepting Nathaniel's patch.
I haven't yet read David Roundy's next followup on the ticket where
he suggests another approach.
Regards,
Zooko
More information about the darcs-users
mailing list