On Mar 27, 6:11 am, "William Stein" <[EMAIL PROTECTED]> wrote:
> On Wed, 26 Mar 2008 13:59:10 -0700, Robert Bradshaw <[EMAIL PROTECTED]> wrote:
>
> > On Mar 26, 2008, at 1:56 PM, mabshoff wrote:
>
> >> On Mar 26, 9:35 pm, Robert Bradshaw <[EMAIL PROTECTED]>
> >> wrote:
>
> >>> I was talking about something more sophisticated than export/import,
> >>> which won't work the instant one has multiple branches. One needs to
> >>> actually create multiple heads, apply patches, then resolve them. Hg
> >>> export doesn't have enough information to do this.
>
> >> Ok, sounds good. Do you have any pointers or documentation on this?
>
> > Not at the moment, but I've mucked around with mercurial more than
> > most so I don't think it should be too hard once I start looking into
> > it.
>
> Several people suggested asking on the Mercurial list, and we should
> do that. There might already be an extension or something to do this.
>
> I really don't like the prospect of say Jason Grout's idea to convert
> the whole Sage repo to git and back just to do that. Ick.
>
> Carl Witty said:
>
> > I still don't understand the requirements.
>
> To convert the hg repo to a plain text non-obfuscated format from which
> one can recreate the original hg repo.
>
> > Second, are you worried about people checking in viruses, or people
> > concealing a virus in the .hg directory without it being checked in?
>
> Both. Yes, I'm worried about people checking viruses.
> Yes, I'm also worried about people concealing a virus in the .hg directory
> without it being checked in.
>
> > For the former concern, it seems that it would be sufficient to check
> > out the files, and you don't need to recreate the repository.
>
> That requires trusting Mercurial, and that there aren't any bugs in
> Mercurial that allow one to work around such checks. That isn't a reasonable
> hypothesis, unfortunately. Also, the virus could be in an old version
> of the repo, so you have to check out that last 9000 or so states of
> the repo.
It isn't even a virus, any kind of malicious code *could* be hidden in
the repo. AFAIK mercurial doesn't prevent you from adding files in the
repo directories. While to you and me a binary .hg directory isn't
really a concern other people see it differently.
> > For the
> > latter concern, perhaps something based on "hg verify" would suffice
> > to ensure that nothing nasty has been hidden in the repository.
>
> Again, this requires trusting Mercurial, and that nobody found a way
> to workaround something like this in Mercurial. That's again not
> a reasonable assumption to make.
We should all know by now that software is buggy in general, Sage not
being an exception.
Re mercurial vs. git: I don't buy the complexity argument and it isn't
a secret that I prefer git over mercurial. It is unlikely that we will
switch since mercurial works well enough.
Should we ever switch here are two more arguments for git:
* git handles file permission changes, mercurial doesn't at the
moment
* git handles empty files gracefully, mercurial doesn't at the moment
Cheers,
Michael
> -- William
--~--~---------~--~----~------------~-------~--~----~
To post to this group, send email to sage-devel@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/sage-devel
URLs: http://www.sagemath.org
-~----------~----~----~----~------~----~------~--~---
