Forbid uncommits over the network

[John Arbash Meinel]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Lasse Kliemann wrote:
> * Message by -Aaron Bentley- from Fri 2009-05-08:
>> Lasse Kliemann wrote:
>>> Is there any official statement available that 
>>> 'append_revisions_only' in fact closes all possible loopholes 
>>> through which existing revisions might be tempered with (provided 
>>> there is only network access via 'bzr serve' to the repository)?
>> No.  See John's email.
> 
> I tried the example with '--overwrite', but I only get: 
> 
>   Operation denied because it would change the main history, 
>   which is not permitted by the append_revisions_only setting on 
>   branch...
> 
>> At this point, it's not feasible to disable the
>> nosmart / vfs mode, and that would be required to prevent tampering.
> 
> Can you give an example command and configuration for this? 
> Adding 'nosmart' to the URL did not change anything here. BTW, I 
> am using SSH (via bzr+ssh or nosmart+bzr+ssh) and the server has 
> 
>    command="bzr serve --allow-writes --inet --directory=/foo/bar" ...
> 
> in '.ssh/authorized_keys'.

So it would appear that I was wrong. I just checked the code, and
'append_revisions_only' supersedes '--overwrite'.

append_revisions_only is actually checked at the time of
'set_last_revision_info', which is just about as low-level as you can get.

So with the existing bzr clients, you can't override that setting.
(There are ways someone with write access to that file could write a
specific value there, but it would have to be pretty much malicious, and
not accidental in any way.)

John
=:->

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkoEU2YACgkQJdeBCYSNAAPy3gCfRJvQgTIG2S0fCWZWDMY7V+hs
ka4AnRgAPYAGRDGlniTXXD3uVPiLBmm9
=9Ujf
-----END PGP SIGNATURE-----