On Thu, 31 Jan 2013 13:52:32 +0800, Scott Yan <scottya...@gmail.com> wrote:
> Hello everyone:
> The user info of git client (user name and email) is set by the users
> themselves, so , how to avoid userA pretend to be userB?
> Git server could authentication the user, but it do nothing about the
> user info of commit message.
> For example:
> There are 20 people of my team, and everyone can push to the public
> repository(git server),
> If I found some backdoor code in my project, and the commit record
> shows it was committed by userA, so I ask userA: why do you do this?
> but he told me: no, this is not my code, I have never committed such
> thing.  ----and yes, everyone could change his user info to userA very
> easily .
> so... what should I do to avoid such situations?

gitolite keeps a log of which SSH user pushed which commits. The smart-http
backend does the same if you have reflog enabled on the server (see the
ENVIRONMENT section in man git-http-backend). So unless someone can steal
userA's credentials (http password, ssh key) you'll be able to detect who it
really was.
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to