Author: Troy Benjegerdes 2014-08-23 17:44:14
Published on: 2014-08-23T17:44:14+00:00
In a conversation between Peter Todd and Troy Benjegerdes, they discussed the benefits of Git's rebase functionality in terms of communicating changes to developers and how this differs from Mercurial's immutable commit history. They also noted that while Mercurial is designed around immutable commits, an attacker can fake a series of Mercurial commits just as easily as they can fake Git commits. The only protection against history rewriting is signed commits and timestamps. Todd suggested using Bitcoin transactions for signatures since it provides timestamps backed by a billion-dollar blockchain. He also mentioned the need for multiple redundant "master" repositories run by different people in different jurisdictions to ensure operational security. He recommended a formal program of code review, perhaps on a per-release basis, wherein the master repos are copies of the "master master" repo that someone has manually verified and signed-off on with a PGP signature. Benjegerdes expressed interest in getting paid for reviewing code rather than volunteering and proposed the use of his Bitcoin address in a signature-transaction of the code he reviewed. Finally, he questioned the advantage of PGP, suggesting that more people have ECDSA public-private keys than PGP keys.
Updated on: 2023-06-09T02:20:13.742653+00:00