[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Monotone-devel] Re: Monotone server

From: Daniel Carrera
Subject: Re: [Monotone-devel] Re: Monotone server
Date: Thu, 09 Oct 2008 17:59:39 +0200
User-agent: Thunderbird (Macintosh/20080914)


Bruce Stephens wrote:
I'm not convinced that such opinions of git are fair.
See <>,
<>, for examples of good documentation of git
after 1.5.

Thanks. I'll take a look at those.

I think the three systems do offer signing, just not as pervasively as
monotone.  Ah, OK, bzr doesn't (yet) by the looks of it.  The other
two do:

In the git case you can sign (and verify) a tag object using gpg.
Such a tag will reference a revision, so transitively that gives you
assurance of the history.

Thanks for the links. It looks like Mercurial is like git: one can use gpg to sign a revision (and implicitly, its history). In which way are signatures more pervasive in monotone?

(In that case it's not much different from
monotone; in monotone revisions aren't signed, rather the things
attached to revisions get signed, so if you have a tag, the only
signature that matters (arguably) is that one signature.)

So, when I run 'mtn commit' Monotone is not signing anything? I couldn't find a sign command for Monotone so I assumed that every commit was signed.

But what does "security" mean for you?  I think monotone's security
has legs: if you use monotone, then you can trace every cert to its
signer, so you can find who made each assertion about each revision.
(Well, you can see which key was used, anyway.)  That feels
potentially of value to an open source project that might need to
defend itself.

But maybe you just want to be sure that nobody else has changed
something, in which case adding a signed tag now and again might be
enough.  Or just make a note somewhere of the most recent commit hash.

I'm interested in the latter. I just want an easy way to detect random corruption or intentional tampering. I *could* keep track of the hashes, but truthfully, I won't. Intrusion is a very rare event and if I have to jot down a hash every day (I upload every day) I might keep it up for a month or two and then I'll stop doing it.

I don't know if any RCS has this feature, but I would really like to be informed if something has changed. If the server is compromised, I want to hear about it. I'm not sure what I need to get this feature, but I figured that monotone would be a good place to start.

Interesting. I didn't know about that about Git. As a sole developer
that feature doesn't apply to me. But it's interesting.

Perhaps it doesn't apply, though I'd be surprised if you didn't find
it useful.

I probably don't understand git's index feature. I'll read about it on the links you gave me. Maybe then I'll see how it would be useful to me.

>> Do you use Monotone anywhere? I ask because you are, after all, in a
>> Monotone mailing list.
> I used to use it, but I don't any longer.

You switched to git everywhere?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]