Changesets feature complete
Aaron Bentley
aaron.bentley at utoronto.ca
Fri May 26 21:29:42 BST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
John Arbash Meinel wrote:
>>So this is where I say "sign the message, not just the changeset". Just
>>because I signed a changeset, doesn't mean I think *you* should merge it
>>into *that* branch. This is something I think PQM really gets right.
>
>
> Except right now you can only tell the pqm to 'merge this branch', so if
> you add extra commits (or uncommit) before it gets there, the message is
> incorrect. :)
Yes, and this is something I think PQM really gets wrong :-).
> But that is something we need to fix with the pqm. (Part of the desired
> fixes to the pqm and pqm-submit that I started were to submit the
> testament sha signatures and revision id of the requested merge)
That would be excellent.
> I am asserting that I want the PQM to grab the revisions that I have. I
> can't guarantee that they are from Aaron, or that they are perfect, but
> I can tell the pqm that they are what I have.
And I suppose, telling pqm that they are what your revisions are based upon.
>>Unless you require the message to be signed, you don't have that
>>guarantee. Having the changeset be signed means that it was *created*
>>by someone who has access to keys that you trust, not that they *sent*
>>the message or that they think it's a good idea for you to apply it.
> Changesets aren't inherently signed, it should done at a higher level.
> And like you mention, possibly along with a message saying what should
> be done with the changeset (like by pqm-submit).
Yes, I can agree with that.
> I realize I was mixing a couple things here. And it might mean that we
> should put some sort of checksum at the end of a changeset. So that we
> don't go to the expense of parsing it, if it has been munged in transit.
That also makes some sense, though I think it will rarely be very
expensive. These changesets I've been generating with the entire
revision history of bzrtools are the exception, not the rule.
> Though I know there is stuff which allows whitespace to be stripped from
> the end of lines, so I'm not sure what should be part of the checksum. I
> would like something, though.
Fine by me.
Aaron
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFEd2U20F+nu1YWqI0RArXvAJ0dBtUG3bSI+4ETk7SV9udzxgXFvwCfWqG9
2D4KZdZmThRVePGIf8gJPrg=
=2Z4E
-----END PGP SIGNATURE-----
More information about the bazaar
mailing list