[darcs-users] [darcs-devel] [issue992] short secure version identifiers

Zooko Wilcox-O'Hearn zooko at zooko.com
Tue Jun 23 17:28:56 UTC 2009


Hello folks, this issue is biting me again (that is: it is  
frustrating my programming partner Brian again), so I looked at the  
ticket and I finally read Nathaniel W. Filardo's proposal carefully:

http://bugs.darcs.net/issue992 # short, secure, fast version identifiers

> Since presumably "short, secure version identifiers" are meant to  
> be a reference to a configuration that somebody else built, not  
> some arbitrary subset of patches in the pool, would it suffice to  
> have darcs {record,push,pull,show version,...} create a context  
> file for the new configuraton by default?
>
> If darcs stored these in _darcs/contexts/${HASH} using some baseN  
> encoding, then they are


Do you mean ${HASH} is the hash of the context file?

Then I think your proposal is very good -- strictly better than the  
kludgy workaround that I have started (http://allmydata.org/trac/ 
darcsver/ticket/3 ), because yours actually allows an easy way to  
*fetch* that version.  Yes, please!

I also read David Roundy's follow-up which criticized your approach  
and I don't agree.  He said:

1.  It isn't secure.

I'm not sure exactly what that means here, but I don't care.  Please  
give me what you got and we can work on improving security later.

2.  You can't generate an identifier on a private repository.

I don't understand this either.  You can't *use* an identifier that  
was generated in a private repository to fetch the corresponding  
code, to be sure.  That's what it means for the repository to be  
private.  But you can generate and distribute such identifiers, and  
people can use them by comparing them to other identifiers.

3.  You can just use the hash of the most recent patch.

Definitely not.  That won't satisfy Brian because it feels too  
fragile -- what if the repository gets re-ordered or if one of the  
patches gets obliterated.  That's close to what we are currently  
doing (taking the count of patches), and it isn't good enough.

So, Nathaniel, please update your patch to current darcs, and darcs  
hackers, please consider accepting Nathaniel's patch.

I haven't yet read David Roundy's next followup on the ticket where  
he suggests another approach.

Regards,

Zooko 


More information about the darcs-users mailing list