[PATCH audit RFC] audit: add core audit module, extension using it, and a minimal test

Matt Mackall mpm at selenic.com
Wed Dec 2 12:48:32 CST 2015 

On Wed, 2015-12-02 at 12:38 -0500, Mike Edgar wrote:
> # HG changeset patch
> # User Mike Edgar <adgar at google.com>
> # Date 1448701927 18000
> #      Sat Nov 28 04:12:07 2015 -0500
> # Node ID 2a3144c7158e2f80a9ea7ce7da026c1492ffa9e6
> # Parent  389b9907470c61bc502a4e78724aa9b336d81cf6
> audit: add core audit module, extension using it, and a minimal test
> 
> This is the first piece of implementing audit trails/chain-of-custody 
> tracking
> in core Mercurial, providing minimal core functionality and and an
> extension
> for accessing that core functionality.
> 
> For more details on the audit trail design, see:
> 
> https://www.mercurial-scm.org/wiki/AuditTrailPlan

So this looks mostly good, but I really think we need to be much more
explicit about the semantics of a signature from the get-go.

If we don't explicitly say in writing and in the UI what a signature
means, there will be a spectrum of interpretations and local
conventions for signatures from "you signed this, you've put your
entire reputation behind its integrity and it's also legally binding"
to "hey, I just said I randomly copied some bits, I never claimed to
have exercised any judgment".

So I think we need to say something like: 

    If an intent is present, the signature represents an assertion of
    the form "I hereby assert that this changeset is __". If no intent
    is present, the changeset is unaudited.

And just as importantly, when we report a signature with no intents, we
have to display something like "(unaudited)" so that people don't
develop their own folk semantics for what the default is.

> +  signature 1
> +  -----------
> +  hg.custodian=Foo User <foo at example.org>
> +  hg.date=0 0
> +  hg.link=8940c25c8bf083973a903d690b2d4a27495c2c65
> +  tested=2
> +  tested.manual=yes

We might want to go the other way on reserving namespace:

custodian=
date=
link=
reviewed=  # an intent we've defined
x-tested=  # an intent we haven't

(we also typically use colons for display)

Also, new code should really use a formatter:

https://www.mercurial-scm.org/wiki/GenericTemplatingPlan

-- 
Mathematics is the supreme nostalgia of our time.

More information about the Mercurial-devel mailing list