Storage internals: UUID
Daniel Carrera
dcarrera at hush.com
Thu Jun 7 23:15:36 UTC 2012
Hey,
I keep replying to myself, but the more I learn about the "testament" feature the more I like it. It seems to provide the cryptographic security that I have been asking for. I got most of the information from this blog post:
http://blogs.gnome.org/jamesh/2007/10/04/signed-revisions-with-bazaar/
So basically, if you run "bzr testament -r 3412 --long" you get a file that contains:
* SHA1 hashes for every file in the revision, the full file, not just the delta.
* All the revision metdata: Revision id, author, date, parent revisions, commit message, bugfixes and branch.
Then all this together is hashed again, and that's what gives you the "short form" testament hash:
% bzr testament -r 6372
bazaar-ng testament short form 1
revision-id: johanengelen at users.sourceforge.net-20080720184127-
vb3nb0e82mamq2m6
sha1: 165c2a8e46025aa7c1d545115fecd69f6217a34b
This last hash is simply the SHA1 of the entire output of "bzr testament --long". So, as far as I can tell, this hash really has everything I would need to affirm the integrity of the revision. So I'm happy. The only other feature I would like to see is the ability search for a revision based on its hash testament. Maybe something like this:
bzr update -r 165c2a8
bzr branch -r165c2a8
etc.
You get the idea. As in other VCS's, you don't have to enter the entire SHA1 as long as what you provide is unique. I think it would be cool if at every place where you normally insert a revision id, you had the option of entering the SHA1 of the testament instead. For my daily work I would use the convenient "-r 5" type revision number, but when I publish a release, I would probably give instructions based on the hash.
In addition, with this feature you would add one more "workflow" choice for Bazaar. People who actually prefer to refer to revisions by hash (perhaps refugees from Git or Hg) have an option to continue working just the way they like it, and have basically the same cryptographic assurance that they get from Git and Hg.
What do you think? Do you think this is doable? Easy?
Cheers,
Daniel.
More information about the bazaar
mailing list