Monotonous Mess-ups


Apparently, there are still software developers out there, who don’t know what version or revision control systems can do for them. Just think of it as backups of your thought processes. Nowadays, though, that breed of programmer is (thankfully!) becoming relatively rare1.

Version control has been around for ages2, so I’m not going to explain them. A more recent, but still not exactly new development, are distributed version control systems, which basically substitute the central repository for a more peer-to-peer approach. Each client has it’s own repository, and repositories of different clients can be synchronized.

For private stuff, I’m using one such system called monotone. Not only does it have a drawing of a rat3 as it’s mascot/logo, it also uses a programming language and a collection of libraries that I’m very familiar with, meaning I can modify it to my needs.

A few days ago, I decided to synchronize two such repositories which, for various reasons, I keep on different computers, only to notice out that I had made a mistake. Monotone keeps track of who you are by a user ID, usually in the form of an email address. It then associates this user ID with a cryptographic key pair, which is automatically used to digitally sign any changes you make to the repository.

That’s good, because such signatures are fairly hard to fake on the one hand, and because email addresses (usually) uniquely identify people on the other – giving pretty good accountability for every change made.

Unfortunately, I’d used the same email address in both repositories, but had generated a new, unique key for each as well. After merging the repositories, there were revisions that were allegedly signed with my email address, but the stored key didn’t match the signature anymore. A few bleary-eyed and panicky commands later4, the result was that while I had all the information I wanted, I just couldn’t access it.

1337 h4X0r1ng 5k1llz to the rescue – I created a small patch introducing a new command, that lets one sign revisions with your current key. The patch has been sent to the monotone development list, and the developers may or may not include it in future releases.

Note though, that the command does not correct faulty signatures, it just adds new ones. The reason lies in the fact that, being distributed, the faulty signatures might have already been propagated widely across the whole world, and recalling them wouldn’t be easy. Adding a new signature for each revision enables you to access the revisions, but doesn’t pretend to clean up the mess I made. A positive side effect may be that any number of people can sign one and the same revision now, and it’s up to you whose signature you trust.

Anyway, if you’re interested in this patch and can’t wait for future monotone releases, you can download it here. It should apply cleanly against monotone 0.35.

Not entirely unrelated to my endeavours, I also discovered that the monotone developers seem to be by far the most friendly I’ve come across in open source projects. Thanks!

  1. Though I could tell you stories about former employers… no, I’d better not. []
  2. In internet years, that is. []
  3. Oddly enough, the rat doesn’t seem to have a tail. []
  4. I had just gotten up, and while my body is ready for action fairly quickly, it takes my brain a while to catch up. []