On Thu, 31 Jan 2013 13:52:32 +0800, Scott Yan <scottyan19@xxxxxxxxx> wrote: > Hello everyone: > > The user info of git client (user name and email) is set by the users > themselves, so , how to avoid userA pretend to be userB? > > Git server could authentication the user, but it do nothing about the > user info of commit message. > > For example: > There are 20 people of my team, and everyone can push to the public > repository(git server), > If I found some backdoor code in my project, and the commit record > shows it was committed by userA, so I ask userA: why do you do this? > but he told me: no, this is not my code, I have never committed such > thing. ----and yes, everyone could change his user info to userA very > easily . > > so... what should I do to avoid such situations? gitolite keeps a log of which SSH user pushed which commits. The smart-http backend does the same if you have reflog enabled on the server (see the ENVIRONMENT section in man git-http-backend). So unless someone can steal userA's credentials (http password, ssh key) you'll be able to detect who it really was. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html