On Mon, Jan 28, 2008 at 08:51:03PM -0700, Derek Scherger wrote:
One reason for separating out the author from the signer is that,
in the
event of a database rebuild, all certs will be re-signed by
whoever does
the rebuild and the original author is lost. This has happened a few
times in the monotone history and while not a huge problem does leave
rebuild a little more lossy than it could be.
My current feeling is that separating out signer from author is a bad
idea. The cost of having them is paid all the time -- you have two
different identities to worry about every time you print a log
message, there are security concerns (people who are confused about
identity can cause a mess), etc. The cost of not having them is this
annoyance with database rebuilds, which are *very* rare, and for them
ad hoc techniques suffice. (For instance: just munge a note about the
original author into the commit message programmatically.)