Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Committer verification #2770

Open
IlyaBelitser opened this issue Oct 23, 2017 · 4 comments

Comments

@IlyaBelitser
Copy link

commented Oct 23, 2017

Git and distributed version control have many benefits out of the box, but controlling access and workflows isn’t one of them. For example, without a Git management tool, a developer can push commits that others have written to the central repository.

This creates problems for organizations with strict security and compliance requirements.
It is necessary to add a new committer verification hook, which enforces that only the author of a commit can push those changes back to Gogs Server. We can sleep easy knowing that only authorized code changes can make it to your repositories.

BitBucket has added this feature.

https://www.atlassian.com/blog/bitbucket/enterprise-devops-bitbucket-server-5-bamboo-6

committer-verification

And GitLab adds too.

https://gitlab.com/gitlab-org/gitlab-ee/issues/1802

@lafriks lafriks added this to the 1.x.x milestone Oct 23, 2017

@sapk

This comment has been minimized.

Copy link
Member

commented Oct 24, 2017

From git point, I would recommend you to use gpg commit verification (allready implemented) that allow a "pusher" to push commit from another "commiter" and still be able to verify that the commit hasn't be tempered or that the identity of the commiter ins't falsify. This type of verification is totally decentralized and verification can also be done locally and is supported natively by git.

This solution, doesn't cover the part of only allowing to push commit from the logged user that maybe needed for your corporation (this would block cherry-pick and some git flow if enable).

If the gpg method doesn't fully comply with your need, gitea support server-side hook but those need to be added manually via git cli. More generaly, we could provide a way to apply predifined list of server-side hooks.

EDIT: it is also possible to edit the pre-receive hook via web interface.

@lunny

This comment has been minimized.

Copy link
Member

commented Oct 27, 2017

So maybe we could have an option on repository setting to deny all push gpg verify failed.

@stale

This comment has been minimized.

Copy link

commented Feb 11, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
4 participants
You can’t perform that action at this time.