revids that include periods are interpreted as ranges

[Andrew Bennetts]

On Tue, Aug 16, 2011 at 12:04:13PM +0200, John Arbash Meinel wrote:
[...]
> But honestly, I don't use raw revids particularly often. But they
> certainly are meant to be available, and uniquely identify a revision.
> Especially for automated processing, etc. So I would like to have a way
> to work with your use case.

Two thoughts:

 1) if we had a way to refer to a revision by a (unique) substring of
    the revid (as some other tools do) that might kill two birds with
    one stone: provide a workaround for this issue, and also make using
    raw revids slightly more convenient.  Obviously arranging for those
    lookups to be cheap is non-trivial, but e.g. a plugin could maintain
    an index.

 2) scripts that rely on “-r revid:$REV” to unambiguously refer to a
    single revision and not a range might be trickable into doing
    slightly wrong things if you can inject a sufficiently tricky
    revision ID.  Imagine e.g. committing a specially crafted revision
    ID that caused a merge robot to merge some malicious revisions
    rather than the one that was reviewed.  So this is potentially a
    security issue, although I think not a serious or urgent one.

-Andrew.