kmra...@rockwellcollins.com <kmra...@rockwellcollins.com>:
> Possibly I'm naive, but a client provided email address is far
> from being a GUID. In fact, I can pretty much set my email address
> to anything in most DVCS tools. Who is to say I haven't used
> your email address when committing?
Technically, nothing. The underlying assumption is that you trust
your contributors not to *want* to spoof each other.
Sure, it would be nice to have better authentication than that, but
if you think for a bit you'll see that this is a very hard problem.
The cost of solving it would so high that DVCSes have decided they have
to ignore the spoofing case and hope everybody behaves well.
So far, this has worked.
--
<a href="http://www.catb.org/~esr/";>Eric S. Raymond</a>
