diff -r 7369ff737684 -r 86ec1268d306 doc/security
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc/security	Sat Mar 07 09:31:06 2009 +0000
@@ -0,0 +1,21 @@
+SECURITY OF MERCURIAL-SERVER
+
+mercurial-server relies entirely on sshd to grant access to remote users. As a
+result, it runs no daemons, installs no setuid programs, and no part of it
+runs as root except the install process: all programs run as the user hg. And
+any attack on mercurial-server can only be started if the Bad Guys already
+have a public key in ~hg/.ssh/authorized_keys, otherwise sshd will bar the
+way. No matter what command the user tries to run on the remote system via
+ssh, mercurial-server is run. 
+
+It parses the command line the user asked for, and interprets and runs the
+corresponding hg operation itself if access is allowed, so users can only read
+and add to history within repositories; they cannot run any other hg command.
+In addition, every push and pull is logged with a datestamp, changeset ID and
+the key that performed the operation.
+
+However, while the first paragraph holds no matter what bugs mercurial-server
+contains, the second depends on the relevant code being correct; though the
+entire codebase is currently only about twice as long as this README,
+mercurial-server is a fairly new program and may harbour bugs. Backups are
+essential!