On Dec 14, 2017, at 10:19 AM, jungle Boogie <jungleboog...@gmail.com> wrote: > > So Warren edited a file at the same exact time as tangent?
Fossil arguably has a bug here, where if you check a change in as local user name “tangent”, as I do here, then *later* do a “fossil sync” to a URL with a user name, some bit of the local on-disk state remembers that you originally cloned the repo as tangent and makes your changes under that name. Then when you go to push to the remote repo, it uses your remote user name and password credentials, but the changes are tagged with your local user name. I think Fossil ought to catch this kind of thing and either silently rewrite the user name or force some local fix-up it can’t be done automatically for some reason. This kind of thing happens when a previous outsider to a project is later granted privileges, but under a different name. I assume Fossil is the way it currently is because: a) many people use the same user name everywhere b) it’s a rare occurrence; and c) it’s easy to fix when it happens But even knowing all of this, it’s happened to me twice with the fossil-scm.org repository, once from two different machines. The first was a pure surprise to me on my first checkin to fossil-scm.org, and the second happened to me yesterday because I missed one client machine when I went around and closed, re-cloned and re-opened the fossil-scm.org repository to make each one forget about user tangent. I classify this as a bug because it could be used for an impersonation attack. I expect that it would not allow me to check changes in as drh simply by creating a local drh user, since that’s a known user and I cannot produce drh’s password, but it certainly will let me check changes in as billgates. _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users