"Shawn O. Pearce" <spearce@xxxxxxxxxxx> wrote: > Andy Parkins <andyparkins@xxxxxxxxx> wrote: > > Of course my favourite is git, but we were talking about the certificates > > needed by monotone for each developer. One problem here is a certificate does not make a security system. Obviously anyone can generate a certificate and claim anything they want within it, just the same as you can claim anything you want in a Git commit or tag. What's needed is some external method that all interested parties trust to verify a given certificate is associated with a given entity. > What I'm actually doing in one particular environment is checking > the committer string against a database of known committer strings > associated with the current UNIX uid. In this particular case access to the UNIX system is tightly controlled. Much paperwork must be filled out and signed by multiple people, all of whom recognize the user on sight and know why they need access to that system. They also have checked the user's identity through multiple background checks, fingerprinting, etc. In other words the entire authentication problem was already solved, trusting the UNIX uid just let Git plug into that seamlessly. The problem is obviously harder on the Internet. I've never met anyone on this mailing list in person, but the quality (or lack thereof sometimes) is evident in my work, and since its all peer-reviewed anyway Junio finds little risk in incorporating the good stuff into git.git. No certificate required. -- Shawn. - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html