On 01/31/2013 11:38 AM, Tomas Carnecky wrote: > On Thu, 31 Jan 2013 13:52:32 +0800, Scott Yan <scottyan19@xxxxxxxxx> wrote: >> Hello everyone: >> >> The user info of git client (user name and email) is set by the users >> themselves, so , how to avoid userA pretend to be userB? >> >> Git server could authentication the user, but it do nothing about the >> user info of commit message. >> >> For example: >> There are 20 people of my team, and everyone can push to the public >> repository(git server), >> If I found some backdoor code in my project, and the commit record >> shows it was committed by userA, so I ask userA: why do you do this? >> but he told me: no, this is not my code, I have never committed such >> thing. ----and yes, everyone could change his user info to userA very >> easily . >> >> so... what should I do to avoid such situations? > > gitolite keeps a log of which SSH user pushed which commits. The smart-http > backend does the same if you have reflog enabled on the server (see the > ENVIRONMENT section in man git-http-backend). So unless someone can steal > userA's credentials (http password, ssh key) you'll be able to detect who it > really was. See also my rant on this topic: https://github.com/sitaramc/gitolite/blob/master/src/VREF/EMAIL-CHECK#L37 -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html