Hi all,
That's a little strange, does it really mean I could pretend being
someone else? Isn't there any way to have an authenticated user in
the logs (as it is standard for central-repository VCSes)?
Yes you can pretend to be anyone and I was also a bit surprised by it
initially. This should not be problem as in a small group developers are
usually not that hostile to each other :-) The underlying reason is that
git as a DVCS allows to merge, move and cherry-pick commits from others
and all this basically leads to allowing transfer of commits of others
between repositories.
I believe that there is a commit hook script somewhere which only
accepts signed commits. But I think it is overkill here, the set of
peoples with write access is fairly constrained.
There is also a simpler, 'hybrid' mode of signing changes. Tags can be
signed. As the progression of commits in git leads to a unique
cryptographic hash for each given point in commit history, the one who
signs a tag implicitely causes the preceding history to be signed (by
the tag-signer only, of course). We could do something like that
instead, when we're signing releases.
Best regards,
Onno
_______________________________________________
Simulavr-devel mailing list
[email protected]
http://lists.nongnu.org/mailman/listinfo/simulavr-devel
