On 01/31/2013 11:38 AM, Tomas Carnecky wrote:
> On Thu, 31 Jan 2013 13:52:32 +0800, Scott Yan <scottya...@gmail.com> wrote:
>> Hello everyone:
>> The user info of git client (user name and email) is set by the users
>> themselves, so , how to avoid userA pretend to be userB?
>> Git server could authentication the user, but it do nothing about the
>> user info of commit message.
>> For example:
>> There are 20 people of my team, and everyone can push to the public
>> repository(git server),
>> If I found some backdoor code in my project, and the commit record
>> shows it was committed by userA, so I ask userA: why do you do this?
>> but he told me: no, this is not my code, I have never committed such
>> thing. ----and yes, everyone could change his user info to userA very
>> easily .
>> so... what should I do to avoid such situations?
> gitolite keeps a log of which SSH user pushed which commits. The smart-http
> backend does the same if you have reflog enabled on the server (see the
> ENVIRONMENT section in man git-http-backend). So unless someone can steal
> userA's credentials (http password, ssh key) you'll be able to detect who it
> really was.
See also my rant on this topic:
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html