Changesets feature complete
Aaron Bentley
aaron.bentley at utoronto.ca
Thu May 25 16:32:30 BST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Aaron Bentley wrote:
> If you sign a changeset containing your own revisions, that's the same
> as signing the revisions themselves. If you sign
To complete that thought:
If you sign a changeset, I think you're asserting that the revisions in
it are authentic. If they're your own revisions, it's equivalent to
signing your own revisions. If they're someone else's revisions, it's
equivalent to signing someone else's revisions.
I'm not sure whether you're supposed to be able to sign someone else's
revisions, but I think either way, it's not clear that signing the
changeset contributes new information. And I'm not at all certain that
it makes sense to do the signing all at once.
I suppose one thing that signing the changeset would provide would be
evidence that the changeset itself is not maliciously written (as with
ActiveX browser plugins). But changesets aren't supposed to be
dangerous anyway - it's not like they're an executable format - so
that's a very limited advantage.
Aaron
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFEdc4O0F+nu1YWqI0RAv5eAJ9cQf2fDRFMxxd5z08TWxJp1dENKwCfWHHN
zUGL6QEa8KY9tjk+X6Ce0c0=
=c17U
-----END PGP SIGNATURE-----
More information about the bazaar
mailing list