Re: Distributed VCS with good user verification?

Re: Distributed VCS with good user verification?

[Yann Dirson]

On Tue, May 05, 2009 at 11:24:20PM +0200, Lasse Kliemann wrote:
> This list hasn't seen any traffic for over a year, but since 
> usually no-one unsubscribes from a list with no traffic, I hope 
> someone will read this.
> 
> 
> I am looking for a VCS that makes it easy to see who committed 
> which revision and to be certain that this information is 
> correct.
> 
> When I look at the commit log, I want to see at a glance who 
> committed which revision. I want to be sure that those names 
> displayed are really meaningful. That is, it should be guaranteed 
> that in fact that person which I associate with the displayed 
> name has committed the respective revision.
> 
> In Subversion, a centralized VCS, this can be ensured by 
> correctly setting '--tunnel-user=USER' on the server, when using 
> SSH. Then, a user authenticates himself by his SSH key, then the 
> SSH server picks the corresponding entry in 
> '~/.ssh/authorized_keys', and this will cause the intended user 
> name to be recorded as the committer.
> 
> In a distributed VCS, this is no option since commits happen 
> locally. Instead, revisions must be cryptographically signed.  
> However, signing is not everything. In addition, signatures must 
> be verified, and the commit log should reflect which commits have 
> valid signatures and wich not.


If you're only relying on an ssh tunnel for svn, I suppose it should
be OK for you as well to use this mechanism with a DSCM.  If so,
gitosis provides the necessay infrastucture to do so comfortably on
top of git (gitosis upstream does not seem very active, but there is
at least one gentoo person writing patches, and I registered a mirror
of his repository as a fork on http://repo.or.cz/w/gitosis.git.  FWIW,
I have started to make a couple of cleanups of this code recently, and
will push them as another fork shortly).

OTOH, it does enforce a centralized verification scheme.  If you want
something more flexible, I believe that could easily be done on top of
commit notes (development for that feature has unfortunately stalled
AFAIK).  I'm cc'ing the git list so others have the opportunity to
comment.

> 
> I tested several systems in this respect without finding any 100% 
> satisfactory solution.
> 
> Here is what I found:
> 
> - Mercurial provides an extension to explicitly sign certain 
>   revisions. The act of signing creates a new revision by itself. 
>   It seems like there is no way of automatically checking all 
>   signatures or to detect revisions without signatures.
> 
> - Git only allows to sign tags and to verify those signatures on 
>   demand.
> 
> - Monotone has mandatory signatures, which looks rather good to 
>   me. However, the monotone server does not support encryption 
>   and also does not seem to support SSH tunneling in a convenient 
>   way (like most other systems, by calling 'ssh'), but only by a 
>   "real" tunnel (opening a local port and such). So, 
>   unfortunately, monotone is ruled out by this other criterion.
> 
> - Bazaar can sign revisions, and it can be told to sign each and 
>   every revision upon commit. However, I did not find any 
>   built-in way to check signatures. There is an option 
>   'check_signatures' which can be set to 'required', but I could 
>   not find out what it does actually. It is not documented.
> 
>   There is a plugin for Bazaar, however, with which one can get 
>   statistics on how many revisions are signed and which 
>   signatures cause problems. When this statistics says that 
>   everything is signed and okay, then one can trust the user 
>   names in the commit log.
> 
> Bottom line is that Bazaar is closest to my needs, but not yet 100%.
> 
> Suggestions?
> 
> Thank you!
> Lasse
> 



> _______________________________________________
> Better-scm-discuss mailing list
> Better-scm-discuss-0fE9KPoRgkgATYTw5x5z8w@public.gmane.org
> https://lists.berlios.de/mailman/listinfo/better-scm-discuss