[MERGE] [0.90] Disable patch verification (broken for CRLF files)

[Goffredo Baroncelli]

On Monday 13 August 2007, John Arbash Meinel wrote:
> James Westby wrote:
> > On (13/08/07 08:54), Aaron Bentley wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Hi all,
> >>
> >> We recently discovered that patch verification is broken for CRLF files
> >> (and probably CR files, too).  The fix appeared simple, but I've run
> >> into problems testing it, so I think the safest things it to disable it
> >> for now.  I'll get a fix in before 0.91.
> >>
> >> I think it is important to get some kind of fix into 0.90, because it
> >> will be an extremely visible bug for projects using non-LF source files
> >> and bundles/merge-directives.
> >>
> >
> > I don't doubt the importance of this problem, but isn't the proposed fix
> > for 0.90 just opening up the hole that the check is designed to
> > prevent?
> >
> > My understanding is that this check is there to ensure that the
> > revisions that will be installed have the effect that the preview patch
> > says they will when they are taken together. If this is not the case
> > then please correct me.
> >
> > Thanks,
> >
> > James
> >
> 
> It does, with his change, the preview patch can differ from the actual
> content. However, without his patch, if you have a file with \r\n
> (people working on Windows especially) it won't let you merge *any* bundles.

It is possible to add a more explicit warning, something like:

  ========== WARNING ============
  The preview check is disabled due to presence of a '\r' character in the
  file
  ========== WARNING ============

> The chance of exploiting the change is pretty minimal, will only be
> exposed for about 1 month, and is a lot less disruptive than preventing
> bundles completely.
> 
> John
> =:->
> 
> 
> 



-- 
gpg key@ keyserver.linux.it: Goffredo Baroncelli (ghigo) 
<kreijack_AT_inwind.it>
Key fingerprint = CE3C 7E01 6782 30A3 5B87  87C0 BB86 505C 6B2A CFF9