On Fri, 15 Dec 2017 13:52:55 -0500, D. Richard Hipp <d...@sqlite.org> wrote: >On 12/15/17, Andy Bradford <amb-fos...@bradfords.org> wrote: >> Thus said Warren Young on Thu, 14 Dec 2017 12:13:18 -0700: >> >>> Fossil arguably has a bug here, where if you check a change in as >>> local user name ``tangent'', as I do here, then *later* do a ``fossil >>> sync'' to a URL with a user name, some bit of the local on-disk state >>> remembers that you originally cloned the repo as tangent and makes >>> your changes under that name. >> >> I disagree that this is a bug. I consider it useful flexibility. >> >>> I classify this as a bug because it could be used for an impersonation >>> attack. >> >> Fossil records which user synchronized the content in the recvfrom table >> so the owner of the remote repository knows who did it if he cares. >> >> As stated in the past, Fossil is meant for a tighter group of >> developers---perhaps this perception has changed--- one in which >> impersonation is unlikely. >> > >I was very aware of all of these factors when I designed Fossil, 10 >years ago. Impersonation was a concern. But in a DVCS, there really >is no way around it. > >Defenses include: > >(1) The rcvfrom table that shows clearly where all artifacts >originated, thus allowing the originator of a deception to be tracked >down and dealt with administratively. > >(2) Check-ins can be signed using GPG or PGP. (I do this on TH3, fwiw.) >-- I believe deception and impersonation are important.
I would recommend the study of block chain or blockchain technologies, such as Bitcoin. These technologies use signed hashes. I have found they have a significant perspective on when an event occurs, in what order events occur and who is the originator of the event. An interesting, and annoying, deception I found a few years ago was where someone added a copyright comment in several pre-existing open source program sources, as if they were the author. Another example is where the original author is over written, or not mentioned or barely mentioned. I was working at a bank in 2001, where a programmer got an award for installing a major fix very quickly. The designer had a big smile on his face, because the programmer simply copied the exact code from the designer and implemented it. The designer was never mentioned. Most of us have similar stories. _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
