Am Freitag 10 April 2009 18:30:29 schrieb Matthew Toseland: > > I think it would be nice to do this as repository which can be updated > > only if at least 60% of a specific group of people agree. > > Why is that beneficial relative to a fully distributed model of people > pulling if they like a patch?
Because then you don't have to ever trust one single developer (who might just have been caught by evil corp?) and at the same time you don't have to doublecheck every change yourself. You get a trusted group of committers with some room for people dropping out. > But it would be much better if each trusted > person could have his own revocation key, and they could vote on adding new > trusted people / kicking them out, and on recovery from a compromise of the > main key. The scheme below should offer a way to do that. > > Are there any weeknesses in this scheme (except the possibility that > > the majority of maintainers overlooks some bad code)? > > Dunno... I reworked the scheme while I was in train this weekend (for mercurial). Goal: A workflow where the repository gets updated only from repositories whose heads got signed by at least a certain percentage of trusted committers. Requirements: Mercurial, two hooks for checking and three special files in the repo. The hooks do all the work - apart from them, the repo is just a normal Mercurial repository. After cloning it, you only need to setup the hooks to activate the workflow. Hooks: prechangegroup and pretxnchangegroup Files: .hgtrustedkeys , .hgbackuprepos , .hgtrustminimum concept: - prechangegroup: Copy the local versions of the files for access in the pretxnchangegroup hook (might be unnecessary by letting the pretxnchangegroup hook use the rollback-info). - pretxnchangegroup: * per head: check if the tipmost non-signature changeset has been GnuPG signed by enough trusted keys. * If not all heads have enough signatures, rollback, discard the current default repo and replace it with the backup repo which has the most changesets we lack. Continue discarding bad repos until you find one with enough signatures. .hgtrustedkeys contains a list of public GnuPG keys. .hgbackuprepos contains a list of (pull) links to backup repositories. .hgtrustminimum contains the percentage of keys from which a signature is needed for a head to be accepted. With this workflow you can even do automatic update from the repository. It should be ideal for release repositories of distributed projects. Please tell me what you think about it! Best wishes, Arne -- -- Ein W?rfel System: http://1w6.org - einfach saubere (Rollenspiel-) Regeln. -- Infinite Hands: http://infinite-hands.draketo.de - singing a part of the history of free software. -- My stuff: http://draketo.de - stories, songs, poems, programs and stuff :) -- PGP/GnuPG: http://draketo.de/inhalt/ich/pubkey.txt -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20090414/83e00441/attachment.pgp>