Differences between revisions 3 and 4
Revision 3 as of 2015-06-12 20:34:32
Size: 2080
Editor: Pierre-YvesDavid
Comment:
Revision 4 as of 2017-01-09 19:52:44
Size: 2335
Editor: AugieFackler
Comment:
Deletions are marked like this. Additions are marked like this.
Line 48: Line 48:
Some draft work on this front is at [[https://www.mercurial-scm.org/pipermail/mercurial-devel/2015-December/076247.html|in this mailing list message]]. If you want to resume the work, start there, but please mind the review feedback later in the thread.

Note:

This page is primarily intended for developers of Mercurial.

This is an extraction of a mail from mpm. Basically, we'd like to have some way to have a cryptographically meaningful chain-of-custody for a patch, which can include a "I assert this is my work" type bit.

Specific requirements:

  • Signatures need to specify intent, which might be one of:
    • "I wrote this patch and it's my work. It hash hash X."
    • "I reviewed this patch and it looks fine. I got it with hash X, and committed it as X'"
    • "I'm a bot. I ran trivial lint tests and rebased it from X to X'."

Here's a more concrete example: 

sig0: user=indygreg, source=author, abstract=1234abcd, delta=abcd1234,
gpg-signature=sdfkjs...
sig1: user=pushgate, source=rebase, check-abstract=1234abcd, abstract=2345bcde,
delta=bcde2345, gpg-signature=skdjjkd..
sig2: user=marmoute, source=import, audit=true, check-delta=bcde2345,
abstract=3456cdef, delta=cdef3456, gpg-signature=ldlkfl..
sig3: user=mpm, source=rebase, audit=true, check-abstract=4567defa,
abstract=4567defa, delta=defa4567, gpg-signature=oerituwow..

Note here that sig2 is making multiple simultaneous signed assertions:

- I got a patch and verified its delta $X - I audited the patch - the resulting commit abstract was X' - the resulting delta abstract was $X'

Also note how sig1 gives us a chain of custody.. but doesn't assert that it actually read anything because it's an automated process.

We can also imagine the following for an unsigned patch that we decide to sign in review (perhaps because it came from an anonymous security researcher): 

sig0: user=durin42, source=import, audit=true, abstract=3456cdef,
delta=cdef3456, gpg-signature=ldlkfl..
sig1: user=mpm, source=rebase, audit=true, check-abstract=4567defa,
abstract=4567defa, delta=defa4567, gpg-signature=oerituwow..

So a verifier will need to distinguish between audited-to-standard-X and verified-to-originate-from-Y and both-verified-and-audited.

Some draft work on this front is at in this mailing list message. If you want to resume the work, start there, but please mind the review feedback later in the thread.

CategoryDeveloper and CategoryNewFeatures

CommitCustodyConcept (last edited 2017-01-09 19:52:44 by AugieFackler)