Audit options with Mercurial

[Martin Geisler]

pallikkattil <pallikkattil at yahoo.com> writes:

> Our current source control system Harvest has security groups assigned
> for code promotions. So dev team leads can do code review and promote
> the code to qa state. QA team does QA only their team can promote code
> to production staging state and once all directors approve the code
> for production the production team push the code to production. So
> harvest keeps track of all the people who approved this code for
> production and provides reports for auditors as to what code change
> was approved by whom and when. I am looking for something similar in
> Mercurial i.e. the approval workflow and ability to report on it.

In Mercurial you would create different repositories for the different
security groups, and when code is promoted from one state to another,
then this corresponds to a push from one repository to another.

To log who did the push, you would install a changegroup hook in the
repositories on the server. That could then record the authenticated
user in a database. The pushlog extension(s) are an example of this, see
the other reply in this thread.

Finally, if you need hard proof of who made each changeset, then my
commitsigs extension might be of use:

  https://bitbucket.org/mg/commitsigs

It works by embedding cryptographic signatures directly into each
changeset. The extension also provides hooks so that you can configure a
server to ensure that all pushed changesets have an embedded signature.

-- 
Martin Geisler

Mercurial links: http://mercurial.ch/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://selenic.com/pipermail/mercurial/attachments/20110123/54840b45/attachment.pgp>