| Author's copy | Confidentiality and Authenticity for Distributed Version Control Systems — A Mercurial Extension Michael Lass Dominik Leibenger Christoph Sorge Paderborn University CISPA, Saarland University CISPA, Saarland University 33098 Paderborn, Germany 66123 Saarbrucken,¨ Germany 66123 Saarbrucken,¨ Germany
[email protected] [email protected] [email protected] Abstract—Version Control Systems (VCS) are a valuable tool is a cryptography-based access control solution for SVN that for software development and document management. Both enforces access rights using end-to-end encryption. [13] client/server and distributed (Peer-to-Peer) models exist, with the Since Git [7] was released in 2005, distributed VCS have latter (e.g., Git and Mercurial) becoming increasingly popular. gained more and more popularity. Mercurial [16] and Git are Their distributed nature introduces complications, especially concerning security: it is hard to control the dissemination of the most-popular such systems today. In contrast to modern contents stored in distributed VCS as they rely on replication of centralized VCS, repositories are stored on users’ local work- complete repositories to any involved user. stations again. Collaboration among users is supported by We overcome this issue by designing and implementing a allowing users to synchronize their repositories with others. concept for cryptography-enforced access control which is trans- Revisions can be pulled from / pushed to remote repositories. parent to the user. Use of field-tested schemes (end-to-end encryp- tion, digital signatures) allows for strong security, while adoption There are no limitations concerning the resulting communica- of convergent encryption and content-defined chunking retains tion paths: Distributed VCS support centralized setups, fully storage efficiency.