Security issue: how to use HTTP user as Mercurial user
Benoit Boissinot
bboissin at gmail.com
Tue Jun 8 08:49:23 UTC 2010
On Tue, Jun 08, 2010 at 10:38:57AM +0200, Zeljko Trogrlic wrote:
> I did some more thinking on this topic (could do that before first reply :).
>
> My idea was to use one server for releases - this is kind of "central" server.
>
> I understand why using authenticated user as changeset author is it
> against DVCS philosophy - it is possible that "pusher" got changeset
> from somebody else and now he is pushing not just his own, but also
> somebody elses chanesets.
>
> Now I think that signed changeset are the right way to go. Searching
> for "gpg" on the the mailing list revealed that this topic was brought
> to daylight many times before. It probably deserves a page or two in
> the Mercurial book.
I personally find it more sensible to record a log of "who pushed what",
it should be sufficient for your purpose: you'll be able to question the
person responsible for pushing the questionable changeset.
That's exactly what pushlog (developped by mozilla) does.
Benoit
--
:wq
More information about the Mercurial
mailing list