On Fri, Mar 9, 2012 at 13:02, Thomas Stover <c...@thomasstover.com> wrote: > -Algorithmically verify that changes are signed by trusted users on push/pull > operations. > (this is also a question) >
Theoretically, it is sufficient to sign a leaf manifest so that entire part of the DAG that grows out of this leaf by following the parent links becomes fortified. A manifest contains SHA1 hashes of all the files in the commit and of all its parent manifests. Assuming that intruder cannot break the signature private key and cannot forge SHA1 hash collisions we trust the commit and its parents. Then recursively we trust grand-parents and so on until we traverse a subset of the DAG connected to the initial leaf. In practice I would advocate a policy that fossil already has -- auto sign every manifest. > So from the "ideal scm features" point of view, what is suppose to happen? > Just verify that > diffs and/or complete project versions are signed by a user? As in a property > of a user being a public key? Or as in some sort of hook script check this > externally before allowing a sync? If a signing key is later found to be > compromised, then changes made with that signature need to be flagged for > inspection? > If signing key itself is compromised (intruder knows private key) all bets are off. Manual labor is the only remedy:-) --Leo-- _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users