[MERGE] [0.90] Disable patch verification (broken for CRLF files)

John Arbash Meinel john at arbash-meinel.com
Mon Aug 13 17:45:59 BST 2007

Hash: SHA1

James Westby wrote:
> On (13/08/07 08:54), Aaron Bentley wrote:
>> Hash: SHA1
>> Hi all,
>> We recently discovered that patch verification is broken for CRLF files
>> (and probably CR files, too).  The fix appeared simple, but I've run
>> into problems testing it, so I think the safest things it to disable it
>> for now.  I'll get a fix in before 0.91.
>> I think it is important to get some kind of fix into 0.90, because it
>> will be an extremely visible bug for projects using non-LF source files
>> and bundles/merge-directives.
> I don't doubt the importance of this problem, but isn't the proposed fix
> for 0.90 just opening up the hole that the check is designed to
> prevent?
> My understanding is that this check is there to ensure that the
> revisions that will be installed have the effect that the preview patch
> says they will when they are taken together. If this is not the case
> then please correct me.
> Thanks,
> James

It does, with his change, the preview patch can differ from the actual
content. However, without his patch, if you have a file with \r\n
(people working on Windows especially) it won't let you merge *any* bundles.

The chance of exploiting the change is pretty minimal, will only be
exposed for about 1 month, and is a lot less disruptive than preventing
bundles completely.


Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the bazaar mailing list