Re: reposurgeon now writes Subversion repositories
Eric S. Raymond wrote on Sat, Dec 01, 2012 at 01:03:28 -0500:
> kmradke_at_rockwellcollins.com <kmradke_at_rockwellcollins.com>:
> > Possibly I'm naive, but a client provided email address is far
> > from being a GUID. In fact, I can pretty much set my email address
> > to anything in most DVCS tools. Who is to say I haven't used
> > your email address when committing?
> Technically, nothing. The underlying assumption is that you trust
> your contributors not to *want* to spoof each other.
> Sure, it would be nice to have better authentication than that, but
> if you think for a bit you'll see that this is a very hard problem.
> The cost of solving it would so high that DVCSes have decided they have
> to ignore the spoofing case and hope everybody behaves well.
Haven't a few projects decided to require PGP-signed revisions instead?
> So far, this has worked.
> Eric S. Raymond
Received on 2012-12-01 07:14:42 CET
This is an archived mail posted to the Subversion Dev