Note:

This page is primarily intended for developers of Mercurial.

This is an extraction of a mail from mpm. Basically, we'd like to have some way to have a cryptographically meaningful chain-of-custody for a patch, which can include a "I assert this is my work" type bit.

Specific requirements:

Here's a more concrete example:

sig0: user=indygreg, source=author, abstract=1234abcd, delta=abcd1234,
gpg-signature=sdfkjs...
sig1: user=pushgate, source=rebase, check-abstract=1234abcd, abstract=2345bcde,
delta=bcde2345, gpg-signature=skdjjkd..
sig2: user=marmoute, source=import, audit=true, check-delta=bcde2345,
abstract=3456cdef, delta=cdef3456, gpg-signature=ldlkfl..
sig3: user=mpm, source=rebase, audit=true, check-abstract=4567defa,
abstract=4567defa, delta=defa4567, gpg-signature=oerituwow..

Note here that sig2 is making multiple simultaneous signed assertions:

- I got a patch and verified its delta $X - I audited the patch - the resulting commit abstract was X' - the resulting delta abstract was $X'

Also note how sig1 gives us a chain of custody.. but doesn't assert that it actually read anything because it's an automated process.

We can also imagine the following for an unsigned patch that we decide to sign in review (perhaps because it came from an anonymous security researcher):

sig0: user=durin42, source=import, audit=true, abstract=3456cdef,
delta=cdef3456, gpg-signature=ldlkfl..
sig1: user=mpm, source=rebase, audit=true, check-abstract=4567defa,
abstract=4567defa, delta=defa4567, gpg-signature=oerituwow..

So a verifier will need to distinguish between audited-to-standard-X and verified-to-originate-from-Y and both-verified-and-audited.

Some draft work on this front is at in this mailing list message. If you want to resume the work, start there, but please mind the review feedback later in the thread.


CategoryDeveloper and CategoryNewFeatures

CommitCustodyConcept (last edited 2017-01-09 19:52:44 by AugieFackler)