This repository has been archived by the owner on Feb 5, 2018. It is now read-only.
spoof commits #38
Comments
|
Block chain technology (Bitcoin) interests me for this very reason, but I haven`t had time to delve in yet. |
|
Even if you could access the push log, it doesn't necessarily mean much. Since git is decentralized, they could merge from each other's repositories (eg more than one remote repository), at which point, whichever repo you have the push-log of becomes only a subset of the history. If this is actually a problem, then having them sign the commit is a pretty good option. Looks like git supports this already https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi all,
By design, each git commit carries the email of its author, and nothing prevents you from forging a commit that pretends to be from someone else.
When working on group projects, this might be problematic. Even if all students have the rights to modify anything, by changing their email address they can break stuff and blame it on somebody else. Now, the chances of this happening on purpose are really low, and the solution to this resides more on the social aspects of source control than on the technical ones, but still...
I am wondering if I can access the "push log" of a github repository, in order to check who sent which commit to the server.
The other option I am aware of is signing commits with an ssh key, but I don't think it would work with the built-in git integration of visual studio we are currently using (which is really convenient because it is dead simple, so I'd like to keep it that way). And also, if the repository can't be configured to reject unsigned commits this won't help much (I have to confess I have no idea if that is possible with github).
Any idea? Thanks.
The text was updated successfully, but these errors were encountered: