Audit options with Mercurial
Arne Babenhauserheide
arne_bab at web.de
Sun Jan 23 11:51:22 CST 2011
On Saturday 22 January 2011 13:56:12 pallikkattil wrote:
> Our current source control system Harvest has security groups assigned for
> code promotions. So dev team leads can do code review and promote the code
> to qa state. QA team does QA only their team can promote code to production
> staging state and once all directors approve the code for production the
> production team push the code to production. So harvest keeps track of all
> the people who approved this code for production and provides reports for
> auditors as to what code change was approved by whom and when. I am looking
> for something similar in Mercurial i.e. the approval workflow and ability to
> report on it.
This sounds like a nice usecase for seperate clones:
• The dev team team works in the dev-repository and can push the code to the
QA repository.
• The QA team works in the QA-repository and can push the code from QA to the
production-staging repository.
• The directors work on production-staging and can push the code to
production.
To make sure that the code has really been checked by all, you can require
that all heads must be GnuPG signed in order to enter a higher-up repository.
To make this workflow more secure, the QA team could push all their changes to
the dev repo first and require doublechecking from the devs, and the directors
could push all their changes to QA. Then developers, QA and directors have to
sign the head revision to get it into production.
For the reports you can for example use this:
for h in $(hg heads --template "{node}\n"); do hg sigcheck $h ; done
For an existing signature this gives something like
5976560e6777 is signed by:
Arne Babenhauserheide (Physikliebhaber, Hobbysänger und Ideenspringquell)
<arne_bab at web.de>
For missing signatures you get
No valid signature for a6bc9b77e768
A signature approves all ancestors of the signed revision.
You can check all signatures via
hg sigs
This requires the GPG extension:
http://mercurial.selenic.com/wiki/GpgExtension
Also see: http://code.google.com/p/hghooklib/wiki/CheckGpgSig
Best wishes,
Arne
--
Unpolitisch sein
heißt politisch sein,
ohne es zu merken.
- Arne (http://draketo.de)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <http://selenic.com/pipermail/mercurial/attachments/20110123/d20d852f/attachment.pgp>
More information about the Mercurial
mailing list