[cap-talk] wideword.net (and more general) version control--the "build" capability and the tag capability

[John Carlson]

Could someone describe how wideword.net does version control?  Can you  
tag groups of file without having read/write access?  Say I was a  
member of a configuration management team, and I couldn't change or  
read most of the files in the version control system (VCS), but  I  
could do a build based on a tag, and I had access to the files which  
specified dependencies like maven2 provides in a pom.xml (names of  
dependencies, but not the actual dependencies).  I could move tags  
based on comments left in the VCS by developers.  Thus I am given the  
ability to send files (a "build" capability) to a compiler/continuous  
integration system and it creates logs that are sent to developers.   
The product of the build (if it was successful) would be sent to the  
testers.

I know there are systems that approach this level of abstraction, are  
there any that meet the capability security model proposed above, that  
is, the "build" capability and tagging capability on files (without  
read/write)?  I realize that there needs to be a capability based file  
system underneath this.  Perhaps this is wishful thinking.

John