fine-grained access control
Eric M. Hopper
hopper at omnifarious.org
Mon May 1 08:42:41 CDT 2006
On Thu, 2006-04-27 at 16:57 -0700, Danek Duvall wrote:
> My point was that any deltas prior to the opening of the file would be
> kept hidden through access controls -- no one without authorization
> could pull such a delta from the repo, even if they had permissions to
> other deltas in the same file, or other files in the same repo.
>
> It wouldn't prevent someone with permissions for that delta to pull
> them somewhere accessible to the world -- which would allow anyone
> with filesystem access to gain access to the embargoed deltas, or
> anyone to pose as a Sun employee to gain access (assuming no use of
> cryptography in the authentication or the storage).
>
> What I want is fluidity across the boundaries for those who are
> allowed, and complete separation for those who aren't. Looks like the
> architecture of mercurial doesn't allow for both, and I don't have the
> cycles to write a proof of concept either way.
One interesting way to accomplish this might be an extension to the
repository meta-data that allows you to specify a source changeset and
repo id when you wink a repository into the new tree. Sort of like an
enhanced version of the 'this file is a copy of this version of this
file' meta-data already being kept.
Permissions and access control on a per-file and/or per-file revision
basis are definitely the wrong way to go about doing this in Mercurial.
It's possible to set up checkin permissions by using pre-commit hooks
that refuse to accept changesets for certain parts of the tree (or even
certain files) that don't have signatures from the right people. But
that's about it.
Have fun (if at possible),
--
The best we can hope for concerning the people at large is that they
be properly armed. -- Alexander Hamilton
-- Eric Hopper (hopper at omnifarious.org http://www.omnifarious.org/~hopper) --
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 185 bytes
Desc: This is a digitally signed message part
Url : http://www.selenic.com/pipermail/mercurial/attachments/20060501/6aa5ef02/attachment.pgp
More information about the Mercurial
mailing list