Hi! I was playing around with git when I realized that it's possible for me to commit something to a repository as another user (explained a scenario below for a better understanding of what I mean) and it is not considered a security vulnerability, understandably so (https://bounty.github.com/ineligible.html#impersonating_a_user_through_git_email_address). For example, let's assume I have push access to some repository called AAA, and my email address is abc@xxxxxxx. I can simply edit ~/.gitconfig on my system and set the email address as some other person's email address: def@xxxxxxx. Then, I make some changes in my local repository and commit them (reminder: it's with the email address def@xxxxxxx since git tracks commits by email address). Now, if I try to push to the remote repository, it asks for the username and password. I put mine and since I have push access to AAA, it goes through. I've successfully pushed commits on behalf of the owner of the email address: def@xxxxxxx. So basically, in this way, I can impersonate people and add commits on their behalf. BUT AGAIN, this is not considered a vulnerability (link for reason attached before). My question: It would be much easier if git didn't allow changing the email address so easily. Why hasn't git implemented OAuth, or something of that sort, for every time that the email address is changed in ~/.gitconfig, yet? Shreya Malviya
