Thanks to all. Tomas: I can't find reflog setting of git-http-backend doc(http://www.kernel.org/pub/software/scm/git/docs/git-http-backend.html), I tried this setting: git config core.logAllRefUpdates true and after some test push, the output is as below: >git log -g master commit d34e61baa28eabf46ba5e9f6a2feb24cc683ed39 Reflog: master@{0} (Scott Yan <scottyan19@xxxxxxxxx>) Reflog message: push Author: Scott Yan <scottyan19@xxxxxxxxx> Date: Thu Jan 31 14:19:30 2013 +0800 this log shows when pushed, but still can't tell Who, because the author info may be fake. I don't know if I made some mistake. Sitaram: It seems I must host my central repo on Gitolite first... I don't know Gitolite much, but you are right, maybe I should use Gitolite as my git server. I'll find more documents about gitolite these days, can you give me some suggestion which tutorial should I read? Thanks! ps: my OS is windows. Regards, Scott Yan On Thu, Jan 31, 2013 at 2:10 PM, Sitaram Chamarty <sitaramc@xxxxxxxxx> wrote: > On 01/31/2013 11:38 AM, Tomas Carnecky wrote: >> On Thu, 31 Jan 2013 13:52:32 +0800, Scott Yan <scottyan19@xxxxxxxxx> wrote: >>> Hello everyone: >>> >>> The user info of git client (user name and email) is set by the users >>> themselves, so , how to avoid userA pretend to be userB? >>> >>> Git server could authentication the user, but it do nothing about the >>> user info of commit message. >>> >>> For example: >>> There are 20 people of my team, and everyone can push to the public >>> repository(git server), >>> If I found some backdoor code in my project, and the commit record >>> shows it was committed by userA, so I ask userA: why do you do this? >>> but he told me: no, this is not my code, I have never committed such >>> thing. ----and yes, everyone could change his user info to userA very >>> easily . >>> >>> so... what should I do to avoid such situations? >> >> gitolite keeps a log of which SSH user pushed which commits. The smart-http >> backend does the same if you have reflog enabled on the server (see the >> ENVIRONMENT section in man git-http-backend). So unless someone can steal >> userA's credentials (http password, ssh key) you'll be able to detect who it >> really was. > > See also my rant on this topic: > > https://github.com/sitaramc/gitolite/blob/master/src/VREF/EMAIL-CHECK#L37 -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html