Question about user identify.
Martin Geisler
mg at daimi.au.dk
Sat May 10 10:54:07 UTC 2008
Fallwind <coolqiufeng at hotmail.com> writes:
> Here I am a question about the hg's user identify, I go through the
> hgbook.pdf, and still don't know how to prevent a "fake user" just put
> others' user name in his .hgrc file. Does the ssh method can resolve
> this issues?
No, the use of SSH is only related to the way you distribute the
changesets. And since Mercurial is decentralized, you cannot stop
anybody from making a changeset in their local repository claiming to be
'Mickey Mouse'.
What you can do is to use the GPG extension to indicate to others which
changesets you consider 'okay'. It is used in Mercurial for signing the
changesets that go into each release -- so if you trust that the key
with ID D53910EF really belongs to Matt Mackall, then you can trust the
changesets signed by that key.
Btw, the signature-path from my key to Matt's key is four steps:
http://webware.lysator.liu.se/jc/wotsap/wots/latest/paths/0x7E45DD38-0xD53910EF.png
depending on how many other keys you have verified, you will have a
shorter or longer path.
In your case you could sign your changesets everytime you push them to
somewhere public and ask your fellow developers to do the same. Any
changeset which is not an ancestor of a signed changeset would then be
untrustworthy.
It will probably be a lot of work and depending on your security
requirements it may not worth it...
--
Martin Geisler
VIFF (Virtual Ideal Functionality Framework) brings easy and efficient
SMPC (Secure Multi-Party Computation) to Python. See: http://viff.dk/.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
URL: <http://lists.mercurial-scm.org/pipermail/mercurial/attachments/20080510/3067adde/attachment-0001.asc>
More information about the Mercurial
mailing list