Shawn O. Pearce <spearce@xxxxxxxxxxx> wrote: > Andy Parkins <andyparkins@xxxxxxxxx> wrote: [...] > > The more I think about it, the more it could be a reasonable question. > > In my own repository I can obviously create whatever commits i like, > > claiming them to be from whomever I like just by altering a few config > > settings. If I put a few of those in my own repository and then > > managed to persuade Junio to pull from me - wouldn't I have faked > > commits from another developer? However, I wouldn't be able to fake a > > gpg signature. [...] > What I'm actually doing in one particular environment is checking > the committer string against a database of known committer strings > associated with the current UNIX uid. My update hook[*1*] performs > a `git log --pretty=raw $3 --not --all` query to determine any > commits which are coming in as part of this push and which are not > already referenced by an existing head or tag in this repository. > For each of those the committer line *must* match one stored in > the allowed-committers file for the current user, as these are > brand new commits being introduced to the repository. This only covers the "pure star" (centralized, CVS-like) topology: Each one only pushes their own changes, nobody collects changes from others and pushes the sum. -- Dr. Horst H. von Brand User #22616 counter.li.org Departamento de Informatica Fono: +56 32 2654431 Universidad Tecnica Federico Santa Maria +56 32 2654239 Casilla 110-V, Valparaiso, Chile Fax: +56 32 2797513 - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html