Having more than three phases (was RFC: Phase UI (revset, phase command and others))

Pierre-Yves David pierre-yves.david at ens-lyon.org
Sun Jan 8 07:51:58 CST 2012 

On Sun, Jan 08, 2012 at 11:59:43AM +0100, Laurens Holst wrote:
> Op 7-1-2012 18:05, David Pierre-Yves schreef:
> >
> >Secret changeset are not indiscoverable secret in many ways. For
> >example you can pull them anyway if you explicitly  ask the server
> >for them. The secret phase is more a safety to prevent unexpected
> >pushing/pull some changeset, relying on them to keep stuff
> >undisclosed is wrong assumption and the name is probably bad then.
> 
> But the cryptographic nature of changeset IDs prevents this from
> exposing information about the existence of these changeset IDs.

I do not understand what you mean there

> Of course it is true that it’s not really great that if you somehow
> retrieved the changeset ID, you are able to retrieve the whole
> changeset. So if you’d ask me this shouldn’t be possible either
> (what’s the use case for allowing it?).
> 
> Why is this a wrong assumption, why wouldn’t we guarantee that
> secret changesets are actually that, secret? I think that would be a
> great and very useful property.

The current mercurial code base work that way. The implementation of "secret
changeset" so far does no do anything else that pruning them from discovery
mechanisme.

Enforcing really secret changeset is much more work. Being certain it is
perflecty secure is an utopia.

As code do not wrote himself over night the current behavior is likely to stay
as is. Except if someone really what such guarantee to exists so much that he
wrote code that implement them.

On the other hand people can just use separated clone to keep your private stuff
unexposed and secure.

> In my other reply I gave a use case for a problematic aspect of the
> ‘upgrade’-behaviour. Having a secret ID available could also be used
> to forge a changeset (although depending on the built-in checks this
> may be hard), which triggers this upgrade, exposing the secret
> changeset.

You don't need to forge any changeset (which is not that feasible anyway). You
can just pretend you have a local public version.

The upgrade behavior from secret to draft is an independant topic that need to
be solved.

More information about the Mercurial-devel mailing list