Security
Joke de Buhr
joke.de.buhr at seiken.de
Wed Nov 4 11:16:43 GMT 2009
On Wednesday 04 November 2009 11:25:07 Jelmer Vernooij wrote:
> On Wed, 2009-11-04 at 10:34 +0100, Mattias Eriksson wrote:
> > ons 2009-11-04 klockan 09:35 +0100 skrev Joke de Buhr:
> > > On Wednesday 04 November 2009 03:06:53 Stephen J. Turnbull wrote:
> > > > Daniel Carrera writes:
> > > > > Hello,
> > > > >
> > > > > Does Bazaar have any cryptographic security guarantees in the
> > > > > style of Monotone, Git and Mercurial?
> > > >
> > > > Last I heard, only Monotone makes any pretense to security. Git
> > > > and Mercurial provide a certain amount of automatic integrity
> > > > checking, using a cryptographic quality hash. Whether that can
> > > > be straightforwardly extended to security is another question; it
> > > > depends a lot on workflows AFAIK.
> > >
> > > Git cryptographic protection is based an sha1 hashes. Each commit
> > > is hashed much like you can hash files from command-line using
> > > sha1sum. The hash is used as a revion id in git.
> >
> > The beauty of this hash in git is that the hash of the latest
> > revistion is based on previous revisions, meaning that if you know
> > that hash you can verify the integrity of the whole history not just
> > that revision. I do not know if bazaar has this kind of mechanism
> > built in to the revision hash.
>
> yes, this is part of the testament sha1.
>
You can check it if you want to:
bzr testament --long
displays detailed information about each active element of the current
revision. The format is:
{filename} {unique identifier} {sha1 of file}
The complete long testament is sha1 hashed again:
bzr testament --long | sha1sum
The output is the same hash displayed using
bzr testament
So manipulating one file would result in a different hash listed in the
long testament and as a result the final hash would be a different one as
well.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
Url : https://lists.ubuntu.com/archives/bazaar/attachments/20091104/500d9e96/attachment.pgp
More information about the bazaar
mailing list