views:

137

answers:

1

I'm learning fossil and trying to reproduce a workflow for two people modifying the same source code tree.

So, Alice and Bob both have local repositories of some source code. Both have autosync off. Alice hacks some more, does some commits signing check-ins with her gpg key. This part is fine, as Alice I've managed to generate gpg keys, fossil asked me the key password when commiting. I'm also aware of gpg-agent but don't use it yet, because I'm trying to keep things as simple as possible for now.

Now, at some point Bob pulls changes from Alice's fossil repo. How would he verify Alice's signed check-ins?

Added:

I know that after pulling changes, Bob is able to manually navigate over Alice's check-ins by using 'fossil update ' and do 'gpg --verify manifest' for each of them. What I'm asking for is if fossil has an automated way to check all "foreign" check-ins after a 'fossil pull', before merging changes from other people with content from the local workspace.

A: 

Current (as of June, 2010) versions of fossil do not have any automation for gpg other than signing manifests. One recent thread discussing this at the fossil-users mailing list revealed that Dr. Hipp sees the signatures as being for proving identity of the person making the check in, not really for validating the check in itself. That proof could be important later in the context of an audit or lawsuit where being able to prove that policies were followed or that all code was covered by existing agreements could be important.

RBerteig