Hi, I've been wondering about whether its possible to provide some degree of traceability of commits to a shared git repository. The potential nightmare scenario is one developer making a commit pretending to be someone else. Assuming a shared server using something like gitosis each set of commits is made under a certain ssh ID and what I'd like is to be able to validate that against the commits so we could tell that commits A-D were made by ID Z. I see a repository as a linear progression of commits and merges. The simplest security check would check each commit/merge on this linear progression and make sure it matches the ssh ID. The problem is where someone merges in some external tree, someone else pulls it and pushes it, only fast forward merges are made and the ssh 'ID' no longer matches the ID of the merge which is in the linear path. Someone mentioned some patches that are on the mailing list atm and the idea of never allowing fast forward merges. Would the "never" policy of fast forward merges solve this problem? Is there a simpler way to address this or are there problems I'm not seeing? Regards, Richard -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
