Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 06 Feb 2009 19:14:14 +0200
From:      Giorgos Keramidas <>
To:        cpghost <>
Cc:        "" <>
Subject:   Re: OT: SVN checkout checksumming
Message-ID:  <871vubv66x.fsf@kobe.laptop>
In-Reply-To: <> ('s message of "Fri, 6 Feb 2009 17:58:00 +0100")
References:  <> <878wolpydl.fsf@kobe.laptop> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Fri, 6 Feb 2009 17:58:00 +0100, cpghost <> wrote:
>> Let's assume for a moment that you install a post-commit hook that
>> generates a SHA-256 checksum of all the files in the latest repo
>> revision on the svn server.
>> For the sake of simplicity, let's assume that this file is a simple,
>> plain text file that is named db/revs/NUMBER.sha256 where 'NUMBER' is
>> the revision number you are check-summing.
>> How are you going to *safely* transmit those SHA-256 checksums to the
>> client on 'svn checkout'?
> Well, sorry to bring this back up, but again: how about signing
> NUMBER.sha256 with a GnuPG private key belonging to the FreeBSD
> Project? If there's a way to *safely* get the corresponding
> public key, checking the signature of the NUMBER.sha256 files
> would be trivial.

If the signed data is not part of the actual repository, you have a
signature for a numeric value, not a signature for the *contents* of the
repository itself.

I think I am missing something here...

Want to link to this message? Use this URL: <>