LWN: Comments on "Sourceforge Attack: Full Report"

Sourceforge Attack: Full Report

dpotapov — Tue, 01 Feb 2011 12:02:05 +0000

> are other DVCSes the same way as git, with hashes and so on?

Mercurial uses SHA1 hashes in the same way as git, and both of them borrowed this idea from Monotone. Bazaar also uses SHA1 for integrity checking, but it relies UUIDs to identify revisions. If you signed your revisions in Bazaar (with gpg), they cannot be forged, but I don't know Bazaar well enough to tell what happens with non-signed revisions.

Sourceforge Attack: Full Report

rbrito — Mon, 31 Jan 2011 23:26:45 +0000

From the blog post, they have conjectured of removing the CVS access and offering the SVN for those that still want a centralized VCS.

Some of the responses on that blog post seem to indicate a strong resistance to move from CVS (probably the Windows people use tools to interact with their CVS repositories?).

The consistency point is yet another one where git helps the users a lot, for you'd just have to compare a few sha1 hashes and you'd be done to check if there was any corruption in that repository.

The users themselves would also quickly notice if something strange happened in this regard, when trying to use their repositories (fork, pull, push, merge etc.).

I don't know if sourceforge allows something like github's forking a repository and keeping a personal copy, or if they only allow repositories attached to projects...

BTW, for those that are familiar, are other DVCSes the same way as git, with hashes and so on?

Sourceforge Attack: Full Report

b7j0c — Mon, 31 Jan 2011 17:33:15 +0000

if only they had disabled the idiotic download redirect