Differences between revisions 2 and 3
Revision 2 as of 2015-06-12 20:04:47
Size: 2026
Editor: AugieFackler
Comment:
Revision 3 as of 2015-06-12 20:34:32
Size: 2080
Comment:
Deletions are marked like this. Additions are marked like this.
Line 47: Line 47:


----
CategoryDeveloper and CategoryNewFeatures

Note:

This page is primarily intended for developers of Mercurial.

This is an extraction of a mail from mpm. Basically, we'd like to have some way to have a cryptographically meaningful chain-of-custody for a patch, which can include a "I assert this is my work" type bit.

Specific requirements:

  • Signatures need to specify intent, which might be one of:
    • "I wrote this patch and it's my work. It hash hash X."
    • "I reviewed this patch and it looks fine. I got it with hash X, and committed it as X'"
    • "I'm a bot. I ran trivial lint tests and rebased it from X to X'."

Here's a more concrete example:

sig0: user=indygreg, source=author, abstract=1234abcd, delta=abcd1234,
gpg-signature=sdfkjs...
sig1: user=pushgate, source=rebase, check-abstract=1234abcd, abstract=2345bcde,
delta=bcde2345, gpg-signature=skdjjkd..
sig2: user=marmoute, source=import, audit=true, check-delta=bcde2345,
abstract=3456cdef, delta=cdef3456, gpg-signature=ldlkfl..
sig3: user=mpm, source=rebase, audit=true, check-abstract=4567defa,
abstract=4567defa, delta=defa4567, gpg-signature=oerituwow..

Note here that sig2 is making multiple simultaneous signed assertions:

- I got a patch and verified its delta $X - I audited the patch - the resulting commit abstract was X' - the resulting delta abstract was $X'

Also note how sig1 gives us a chain of custody.. but doesn't assert that it actually read anything because it's an automated process.

We can also imagine the following for an unsigned patch that we decide to sign in review (perhaps because it came from an anonymous security researcher):

sig0: user=durin42, source=import, audit=true, abstract=3456cdef,
delta=cdef3456, gpg-signature=ldlkfl..
sig1: user=mpm, source=rebase, audit=true, check-abstract=4567defa,
abstract=4567defa, delta=defa4567, gpg-signature=oerituwow..

So a verifier will need to distinguish between audited-to-standard-X and verified-to-originate-from-Y and both-verified-and-audited.


CategoryDeveloper and CategoryNewFeatures

CommitCustodyConcept (last edited 2017-01-09 19:52:44 by AugieFackler)