Thanks, Andrew. you said: --have the server reject commits that have the 'committer' set to someone other then the authenticated user but I don't know how to do that? Our central repository is hosted by apache, and there are some username and passwords saved by apache to authentication valid user, but as I know, there are no relation between the apache username and the git client user ino (saved in .gitconfig), so can you describe some detail? Regards, Scott Yan On Thu, Jan 31, 2013 at 1:56 PM, Andrew Ardill <andrew.ardill@xxxxxxxxx> wrote: > > > > On 31 January 2013 16:52, Scott Yan <scottyan19@xxxxxxxxx> wrote: >> >> The user info of git client (user name and email) is set by the users >> themselves, so , how to avoid userA pretend to be userB? >> >> Git server could authentication the user, but it do nothing about the >> user info of commit message. > > > The simplest thing is to have the server reject commits that have the > 'committer' set to someone other then the authenticated user. > > Of course, there are potential workflows that this would cause problems for, > such as if you sync directly to another user's repository and then try and > push those to a central server. > > The most robust system would probably involve using signed tags to verify > what is being pushed, however I am not aware of any set-ups that have done > this yet. > > Regards, > > Andrew Ardill -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html