|
| From: | Onno Kortmann |
| Subject: | Re: [Simulavr-devel] git repo: ready for go |
| Date: | Thu, 25 Mar 2010 22:23:54 +0100 |
| User-agent: | Mozilla-Thunderbird 2.0.0.22 (X11/20090707) |
Hi all,
Yes you can pretend to be anyone and I was also a bit surprised by it initially. This should not be problem as in a small group developers are usually not that hostile to each other :-) The underlying reason is that git as a DVCS allows to merge, move and cherry-pick commits from others and all this basically leads to allowing transfer of commits of others between repositories.That's a little strange, does it really mean I could pretend being someone else? Isn't there any way to have an authenticated user inthe logs (as it is standard for central-repository VCSes)?
I believe that there is a commit hook script somewhere which only accepts signed commits. But I think it is overkill here, the set of peoples with write access is fairly constrained.
There is also a simpler, 'hybrid' mode of signing changes. Tags can be signed. As the progression of commits in git leads to a unique cryptographic hash for each given point in commit history, the one who signs a tag implicitely causes the preceding history to be signed (by the tag-signer only, of course). We could do something like that instead, when we're signing releases.
Best regards, Onno
| [Prev in Thread] | Current Thread | [Next in Thread] |