Eric S. Raymond wrote on Sat, Dec 01, 2012 at 01:03:28 -0500: > kmra...@rockwellcollins.com <kmra...@rockwellcollins.com>: > > Possibly I'm naive, but a client provided email address is far > > from being a GUID. In fact, I can pretty much set my email address > > to anything in most DVCS tools. Who is to say I haven't used > > your email address when committing? > > Technically, nothing. The underlying assumption is that you trust > your contributors not to *want* to spoof each other. > > Sure, it would be nice to have better authentication than that, but > if you think for a bit you'll see that this is a very hard problem. > The cost of solving it would so high that DVCSes have decided they have > to ignore the spoofing case and hope everybody behaves well. >
Haven't a few projects decided to require PGP-signed revisions instead? > So far, this has worked. > -- > <a href="http://www.catb.org/~esr/";>Eric S. Raymond</a>
