On Mon, Jan 19, 2009 at 10:08:47AM -0600, Jeremy wrote:
> The only problem (with both mercurial and git) is authentication. With svn, I
> have passwords set up for each person. But with distributed systems, there is
> no central server, and code exchanges can happen ad-hoc, so there is no way to
> identify who is submitting code. User identity is set via a text field in the
> local config file.
>
> Even if you identify who is logging into your servers, their push might
> include code they picked up from other people along the way (one of the main
> features of DVCS).
>
> I'm thinking they need (as an optional mode) gpg signatures on all commits,
> and the option to reject incoming patches that lack signatures.
With both git and mercurial you can sign tags.
> They do have an extesnion for hg to let you sign a repo, but it makes a commit
> just for the sig (so you would have 2x the number of commits), and you would
> have to implement a lot of the above using pre/post commit hooks wired up to
> gpg. I might try to do that.
I'm not privy with the design decisions of either DVCS, but I presume that
they encourage a large number of small commits, followed by a tag
(like a release; the release can be of your feature into the main
code stream, not something end-user visible).
Cheers,
florin
--
Bruce Schneier expects the Spanish Inquisition.
http://geekz.co.uk/schneierfacts/fact/163
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.mn-linux.org/pipermail/tclug-list/attachments/20090119/2b7765f0/attachment.pgp