If you guys are going to get into this more deeply, you should probably
also consider revocation issues. That is, what happens when it is
discovered that a contributor's private key has been compromised?
The discovery date of the compromise is obviously = the compromise date.
As such, some set
Sorry for the delay. I've been swamped with work.
On Wed, Aug 21, 2013 at 02:30:10PM +0200, Stephan Beal wrote:
On Wed, Aug 21, 2013 at 1:58 PM, John Long codeb...@inbox.lv wrote:
Digital signing means I certify that I wrote this. This thing itself, and
not something derived from it.
Thus said John Long on Wed, 28 Aug 2013 11:57:01 -:
There are two value added things digital signing provides over
hashing in this specific example when fossil uses SHA1. One, a person
is taking responsibility for a commit and saying I did this. Two,
PGP can use much stronger
On Wed, Aug 28, 2013 at 3:51 PM, Andy Bradford amb-fos...@bradfords.orgwrote:
2.1 Identification Of Artifacts
A particular version of a particular file is called an
artifact. Each artifact has a universally unique name which is
the SHA1 hash of the content of
Stephan, Andy,
Put briefly: when you tell fossil to give you the contents of file
abcdef, it may internally go through several versions of that file on
its way to generating the one you requested, applying deltas as it goes.
The end result is that the content is logically immutable, and
On Wed, Aug 28, 2013 at 6:26 PM, John Long codeb...@inbox.lv wrote:
...that problem is solved by using SHA1. The other issue, which is
specific to
specific situations, is whether the hash alone is sufficient to protect
against malicious alteration of the repository. In the first case it would
On Wed, Aug 28, 2013 at 06:40:19PM +0200, Stephan Beal wrote:
On Wed, Aug 28, 2013 at 6:26 PM, John Long codeb...@inbox.lv wrote:
...that problem is solved by using SHA1. The other issue, which is
specific to
specific situations, is whether the hash alone is sufficient to protect
[507ee45f25] http://localhost:8080/info/507ee45f25 Fix an off-by-one
bug in the network protocol handler so that it can accept a zero-length
file. (*PGP SIGNED*) (user:
drhhttp://localhost:8080/timeline?u=drhc=2007-08-25+12%3A31%3A55nd,
tags:
On Sat, Aug 24, 2013 at 10:30 PM, Eric Rubin-Smith eas@gmail.comwrote:
You should be careful how you render things like that. I think now a
malicious user Mallory can easily subvert your scheme by appending the text
(*PGP SIGNED*) to the end of his unsigned check-in comment. People will
On Tue, Aug 20, 2013 at 09:28:00PM +0200, Stephan Beal wrote:
On Tue, Aug 20, 2013 at 9:03 PM, John Long codeb...@inbox.lv wrote:
My understanding is you already compute checksums on commits.
At a lot of places. Blob content is referenced by its content SHA1, so
any change there
On Wed, Aug 21, 2013 at 1:58 PM, John Long codeb...@inbox.lv wrote:
If I understood what you wrote, the checkin manifest is some kind of meta
data about the commit
Correct. It tells us what blobs (stored separately) belong to the commit
and hold some metadata for it (comment text, user
Hello,
I've converted (mostly from Git, but as well as from darcs btr) *all*
my repost to Fossil in order to exclusively use it and test it
thoroughly.
Now I experience some (strange) problem that I can't see GPG signatures
in my commits.
During commit I see the following:
You need a
On Tue, Aug 20, 2013 at 7:42 AM, Gour g...@atmarama.net wrote:
Hello,
I've converted (mostly from Git, but as well as from darcs btr) *all*
my repost to Fossil in order to exclusively use it and test it
thoroughly.
Now I experience some (strange) problem that I can't see GPG signatures
On Tue, 20 Aug 2013 07:47:42 -0400
Richard Hipp d...@sqlite.org wrote:
The PGP signature is recorded in the repository. (See, for example
the PGP signature on an early check-in to Fossil itself at
http://www.fossil-scm.org/fossil/artifact/22c1ac41d4c02c44).
OK.
However, I have never added
On Tue, Aug 20, 2013 at 8:05 AM, Gour g...@atmarama.net wrote:
Iow, I'd like an easy way to check whether the commit is signed or not,
possibly close to the 'SHA1 Hash:' label or something.
I'm also pretty sure that something like that was available or am I
dreaming...
I think you dreamed
On Tue, Aug 20, 2013 at 2:05 PM, Gour g...@atmarama.net wrote:
Iow, I'd like an easy way to check whether the commit is signed or not,
possibly close to the 'SHA1 Hash:' label or something.
i recently some samething similar in the JimTCL timeline, where each commit
has a signed off by..., but
On Tue, Aug 20, 2013 at 2:11 PM, Stephan Beal sgb...@googlemail.com wrote:
i've just written down a TODO to add this info to the timeline if it's not
terribly problematic. The main problem is that the timeline doesn't have
that level of data. Ah, but it could - we could still see the PGP key
On Tue, 20 Aug 2013 14:58:49 +0200
Stephan Beal sgb...@googlemail.com wrote:
Can you please try that out, Gour?
Here is output from configure:
gour@atmarama ~/t/fossil ./configure
Host System...x86_64-unknown-linux-gnu
Build System...x86_64-unknown-linux-gnu
C compiler... cc -g -O2
C++
On Tue, Aug 20, 2013 at 3:23 PM, Gour g...@atmarama.net wrote:
On Tue, 20 Aug 2013 14:58:49 +0200
Stephan Beal sgb...@googlemail.com wrote:
Can you please try that out, Gour?
Here is output from configure:
Do:
fossil co timeline-pgp-marker
./configure
make clean
make
./fossil rebuild
On Tue, Aug 20, 2013 at 9:23 AM, Gour g...@atmarama.net wrote:
On Tue, 20 Aug 2013 14:58:49 +0200
Stephan Beal sgb...@googlemail.com wrote:
Can you please try that out, Gour?
Here is output from configure:
gour@atmarama ~/t/fossil ./configure
Try instead: ./configure
On Tue, 20 Aug 2013 14:58:49 +0200
Stephan Beal sgb...@googlemail.com wrote:
Can you please try that out, Gour?
My mistake...I mixed fossil versions for commit and ui.
It's OK, and it would be superb to e.g. have *PGP SIGNED* as hyperlink
to the artifact?
Sincerely,
Gour
--
Not by merely
On Tue, Aug 20, 2013 at 3:34 PM, Gour g...@atmarama.net wrote:
It's OK, and it would be superb to e.g. have *PGP SIGNED* as hyperlink
to the artifact?
To the raw manifest, you mean?
--
- stephan beal
http://wanderinghorse.net/home/stephan/
http://gplus.to/sgbeal
On Tue, 20 Aug 2013 15:42:19 +0200
Stephan Beal sgb...@googlemail.com wrote:
To the raw manifest, you mean?
Yes, to the one e.g. showed by Richard:
http://www.fossil-scm.org/fossil/artifact/22c1ac41d4c02c44
Sincerely,
Gour
--
One who is not disturbed in mind even amidst the threefold
On Tue, Aug 20, 2013 at 4:02 PM, Gour g...@atmarama.net wrote:
On Tue, 20 Aug 2013 15:42:19 +0200
Stephan Beal sgb...@googlemail.com wrote:
To the raw manifest, you mean?
Yes, to the one e.g. showed by Richard:
http://www.fossil-scm.org/fossil/artifact/22c1ac41d4c02c44
Please do an
On Tue, 20 Aug 2013 16:10:05 +0200
Stephan Beal sgb...@googlemail.com wrote:
Please do an update, 'make', fossil rebuild, and try again. i'm not
terribly happy with how the link looks, but that seems to be the way
those links are supposed to be displayed in the timeline.
Yeah, functionality
On Tue, Aug 20, 2013 at 6:19 PM, Gour g...@atmarama.net wrote:
Yeah, functionality is there, some cosmetic is required...link can point
to http://some-domain/artifact/id, but the link title can be e.g. just
*PGP-SIGNED* ?
i don't see a way to do that without hard-coding the link into the
I need to go back in the archives and see where I can find an example of
this but in the meantime to ask the obvious, is fossil verifying the
signatures as part of the commit process or does fossil simply carry the
data so the signature can be verified manually?
On Tue, Aug 20, 2013 at
On Tue, 20 Aug 2013 18:41:39 +0200
Stephan Beal sgb...@googlemail.com wrote:
However... i don't want to move this to the trunk until i hear some
feedback from the devs whether this is the optimal solution or whether
something like a simple PGP would do.
Sure, let's hear what others can say...
On Tue, Aug 20, 2013 at 8:07 PM, John Long codeb...@inbox.lv wrote:
I need to go back in the archives and see where I can find an example of
this but in the meantime to ask the obvious, is fossil verifying the
signatures as part of the commit process or does fossil simply carry the
data so
On Tue, Aug 20, 2013 at 2:32 PM, Stephan Beal sgb...@googlemail.com wrote:
On Tue, Aug 20, 2013 at 8:07 PM, John Long codeb...@inbox.lv wrote:
is fossil verifying the
signatures as part of the commit process or does fossil simply carry the
data so the signature can be verified manually?
On Tue, Aug 20, 2013 at 08:32:21PM +0200, Stephan Beal wrote:
On Tue, Aug 20, 2013 at 8:07 PM, John Long codeb...@inbox.lv wrote:
I need to go back in the archives and see where I can find an example of
this but in the meantime to ask the obvious, is fossil verifying the
signatures as
On Tue, Aug 20, 2013 at 8:39 PM, John Long codeb...@inbox.lv wrote:
If you're working on flagging PGP commits then it would be really nice to
say PGP in red if the signature doesn't verify or green if it does or
something like that. Otherwise saying PGP on a commit does more harm than
good
On Tue, Aug 20, 2013 at 08:43:36PM +0200, Stephan Beal wrote:
On Tue, Aug 20, 2013 at 8:39 PM, John Long codeb...@inbox.lv wrote:
If you're working on flagging PGP commits then it would be really nice to
say PGP in red if the signature doesn't verify or green if it does or
something like
On Tue, Aug 20, 2013 at 9:03 PM, John Long codeb...@inbox.lv wrote:
is called gpgme (gpg made easy) IIRC. I think it's not something you have
to
link and you should be able to tell if it's present or not.
i can't personally commit to it, but maybe someone who's listening can.
My
34 matches
Mail list logo