Thanks Martin, I think the issue is that we want a version of our repository that has no binary data in it for transparency. The virus part is just a possible scenario that has been blown out of proportion because of the way I asked the question, since I didn't understand it well enough myself :)
didier Forwarded conversation Subject: [EMAIL PROTECTED] Posting error: sage-devel ------------------------ From: *Martin Geisler* <[EMAIL PROTECTED]> Date: Fri, Mar 28, 2008 at 5:47 AM To: [EMAIL PROTECTED] Hi, I tried to post the following message to the SAGE group to participate in the discussion about Mercurial. But I apparently have to register first -- could you instead forward it? > "William Stein" <[EMAIL PROTECTED]> writes: > > > Carl Witty said: > >> Second, are you worried about people checking in viruses, or > >> people concealing a virus in the .hg directory without it being > >> checked in? > > > > Both. Yes, I'm worried about people checking viruses. Yes, I'm > > also worried about people concealing a virus in the .hg directory > > without it being checked in. > > No matter what files I put in the .hg directory in my clone, they > wont be copied to other clones via 'hg push' and 'hg pull'. So I > don't see why you are afraid that I might put a virus there. > > The only way I could inject a virus into somebone elses Mercurial > repository (without having direct write access to it) is to commit > it and convince the other party to 'hg pull' from me. > > I think that checking that people do not commit stupid things (build > products, virusses, etc) is more of a social problem. And still: if > they do commit something bad, then (assuming you are using an OS > that wont randomly execute files on your harddisk...) you can safely > pull the changes since you can always strip them away again if you > want. -- Martin Geisler VIFF (Virtual Ideal Functionality Framework) brings easy and efficient SMPC (Secure Multi-Party Computation) to Python. See: http://viff.dk/. ---------- From: *Martin Geisler* <[EMAIL PROTECTED]> Date: Fri, Mar 28, 2008 at 8:14 AM To: [EMAIL PROTECTED] The following message is a courtesy copy of an article that has been posted to gmane.comp.version-control.mercurial.general as well. didier deshommes <[EMAIL PROTECTED]> writes: > Hi everyone, > Sage (http://www.sagemath.org/) uses hg for its source control and > recently a question has come up about the possibility of doing the > following: > > (1) export everything in the .hg repo to something (perhaps a ton of > stuff) in plain text format, > (2) delete .hg/ directory > (3) do something that recovers the .hg/ directory from the output of (1). >From reading the messages in this thread I gather that you want the plain text format to be able to inspect the files and make sure that they have not been changed by a virus? It is not necessary to have the repository contents in plain text to do that -- all you need is to sign a trusted revision number with a GnuPG key. You can then later verify the integrity of the repository. The gpg Mercurial extension makes this (already easy step) even easier: http://www.selenic.com/mercurial/wiki/index.cgi/GpgExtension The point is that the revision number (the hexadecimal string printed using, say, 'hg id') depends on *everything* in the repository. So it is impossible for a virus to change any meta-data without also disturbing the hash value. You can therefore easily trust a repository given to you by a stranger, as long as you verify the integrity (with 'hg verify') and check that the revision of the repository is trusted. If the tip-most revision is unknown to you, then you can always strip the unknown revisions away using 'hg strip' and then start from a last known good revision. And please note that this property is not unique to Mercurial: all the other modern revision control systems use the same technique to make it easy to verify the integrity of a repository. --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://www.sagemath.org -~----------~----~----~----~------~----~------~--~---
