No subject


Tue Mar 25 23:26:52 CDT 2008


plain text format to be able to inspect the files and make sure that
they have not been changed by a virus?

It is not necessary to have the repository contents in plain text to
do that -- all you need is to sign a trusted revision number with a
GnuPG key. You can then later verify the integrity of the repository.

The gpg Mercurial extension makes this (already easy step) even
easier: http://www.selenic.com/mercurial/wiki/index.cgi/GpgExtension

The point is that the revision number (the hexadecimal string printed
using, say, 'hg id') depends on *everything* in the repository. So it
is impossible for a virus to change any meta-data without also
disturbing the hash value.

You can therefore easily trust a repository given to you by a
stranger, as long as you verify the integrity (with 'hg verify') and
check that the revision of the repository is trusted.

If the tip-most revision is unknown to you, then you can always strip
the unknown revisions away using 'hg strip' and then start from a last
known good revision.

And please note that this property is not unique to Mercurial: all the
other modern revision control systems use the same technique to make
it easy to verify the integrity of a repository.

-- 
Martin Geisler

VIFF (Virtual Ideal Functionality Framework) brings easy and efficient
SMPC (Secure Multi-Party Computation) to Python. See: http://viff.dk/.



More information about the Mercurial mailing list