Re: [Monotone-devel] Re: Monotone server

[Daniel Carrera]

Hello,

Bruce Stephens wrote:
> I'm not convinced that such opinions of git are fair.
> ...
> See <http://eagain.net/articles/git-for-computer-scientists/>,
> <http://cworth.org/hgbook-git/tour/>,
> <http://www.kernel.org/pub/software/scm/git/docs/user-manual.html>,
> <http://book.git-scm.com/>, for examples of good documentation of git
> after 1.5.

Thanks. I'll take a look at those.

> I think the three systems do offer signing, just not as pervasively as
> monotone.  Ah, OK, bzr doesn't (yet) by the looks of it.  The other
> two do:
> <http://www.kernel.org/pub/software/scm/git/docs/git-tag.html>,
> <http://www.selenic.com/mercurial/wiki/index.cgi/GpgExtension>.
>
> In the git case you can sign (and verify) a tag object using gpg.
> Such a tag will reference a revision, so transitively that gives you
> assurance of the history.

Thanks for the links. It looks like Mercurial is like git: one can use 
gpg to sign a revision (and implicitly, its history). In which way are 
signatures more pervasive in monotone?

> (In that case it's not much different from
> monotone; in monotone revisions aren't signed, rather the things
> attached to revisions get signed, so if you have a tag, the only
> signature that matters (arguably) is that one signature.)

So, when I run 'mtn commit' Monotone is not signing anything? I couldn't 
find a sign command for Monotone so I assumed that every commit was signed.


> But what does "security" mean for you?  I think monotone's security
> has legs: if you use monotone, then you can trace every cert to its
> signer, so you can find who made each assertion about each revision.
> (Well, you can see which key was used, anyway.)  That feels
> potentially of value to an open source project that might need to
> defend itself.
>
> But maybe you just want to be sure that nobody else has changed
> something, in which case adding a signed tag now and again might be
> enough.  Or just make a note somewhere of the most recent commit hash.

I'm interested in the latter. I just want an easy way to detect random 
corruption or intentional tampering. I *could* keep track of the hashes, 
but truthfully, I won't. Intrusion is a very rare event and if I have to 
jot down a hash every day (I upload every day) I might keep it up for a 
month or two and then I'll stop doing it.


I don't know if any RCS has this feature, but I would really like to be 
informed if something has changed. If the server is compromised, I want 
to hear about it. I'm not sure what I need to get this feature, but I 
figured that monotone would be a good place to start.


> > Interesting. I didn't know about that about Git. As a sole developer
> > that feature doesn't apply to me. But it's interesting.
>
> Perhaps it doesn't apply, though I'd be surprised if you didn't find
> it useful.

I probably don't understand git's index feature. I'll read about it on 
the links you gave me. Maybe then I'll see how it would be useful to me.


>> Do you use Monotone anywhere? I ask because you are, after all, in a
>> Monotone mailing list.
>
> I used to use it, but I don't any longer.


You switched to git everywhere?

Daniel.