Changesets feature complete

Aaron Bentley aaron.bentley at utoronto.ca
Thu May 25 16:32:30 BST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Aaron Bentley wrote:
> If you sign a changeset containing your own revisions, that's the same
> as signing the revisions themselves.  If you sign

To complete that thought:

If you sign a changeset, I think you're asserting that the revisions in
it are authentic.  If they're your own revisions, it's equivalent to
signing your own revisions.  If they're someone else's revisions, it's
equivalent to signing someone else's revisions.

I'm not sure whether you're supposed to be able to sign someone else's
revisions, but I think either way, it's not clear that signing the
changeset contributes new information.  And I'm not at all certain that
it makes sense to do the signing all at once.

I suppose one thing that signing the changeset would provide would be
evidence that the changeset itself is not maliciously written (as with
ActiveX browser plugins).  But changesets aren't supposed to be
dangerous anyway - it's not like they're an executable format - so
that's a very limited advantage.

Aaron
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEdc4O0F+nu1YWqI0RAv5eAJ9cQf2fDRFMxxd5z08TWxJp1dENKwCfWHHN
zUGL6QEa8KY9tjk+X6Ce0c0=
=c17U
-----END PGP SIGNATURE-----




More information about the bazaar mailing list