开发者

Is there a way to protect oneself from Mercurial identity theft?

Is there a way to protect oneself from Mercurial identity theft?

The case is if someone deliberately commit bugs into the c开发者_JAVA技巧ode using another developer's name with the goal of getting that person fired or mis-credited.

Is there a way to stop that from happening or is it a non issue?


I don't know a way to actually restrict the commits not so include a "stolen" identity, but if you have a centralized repository you should be able to securely audit who has pushed which changes to the server, and thereby track down the identity thief.


Edit: there seems to be support for signing commits with two extensions, the CommitsigsExtension as well as the seemingly less secure approach implemented by the GpgExtension.

Signing the changesets effectively prevents identity theft since the thief does not have the private key of the identity he wants to steal, thereby he cannot sign the commit.


The Mozilla project does this in the form of a pushlog. They made a trivial change to the web templates to show the output of a pushlog which is easily created at push time using a changeset hook. Here's what their log looks like:

http://hg.mozilla.org/mozilla-central/pushloghtml

A hook that creates such a log could be as easy as:

[hooks]
changeset = echo $REMOTE_USER pushed HG_NODE >> /path/to/my/pushlog

In practice this is one of those things that everything thinks will be a problem when they first hear that the "user" field is entirely falsifiable, but in practice is just never actually a problem.


Use access control on the "main" repo and log requests. If you log who authenticated to push each commit, you can tell who really pushed a particular commit, regardless if the info in the repository.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜