Comment 3 for bug 709084

I doubt you can trigger an anti-virus from data embedded in a bzr format without using bzr itself to get access to it, in which case you know it's text and not a virus.

Similarly, I fail to see how a virus could run from inside a bzr data file.

Also, if there is no way from the bzr CLI to expose such metada, why would it be exposed in a browser ? And if it needed to be exposed, it's the web engine responsibility to quote whatever content it want to display to avoid such problems.

Now to come back to your initial problem which this bug should focus on IMHO, a merge directive is not a branch today for bzr, so if you want access to more data inside the merge directive, you can indeed turn it into a branch.

The only use cases we've heard about merge directive usage to share code among a project is when there is no alternative for very small projects (as in 2 people).

bzr supports ftp, sftp, http, webdav, etc, so finding a server for a real branch seem to have been enough for now.

That being said, if you're interested in working on merge directives to make them behave as real branches, your patches will be warmly welcome.

Also, if you want to bring more security in a merge-directive based workflow, you can still sign the revisions and sign the emails, but even if you don't, remember that whoever manage to inject anything suspicious in the project is identified, whoever merge such contributions is identified, that's the point of a VCS.