.gitconfig. How to protect?

If you see .gitconfig file it contains user's name and email address. I wish to protect it from user as they can always mask their identity开发者_开发问答 as it still configurable by user.

Ex, In my company directory my name as follows Gerald, Anthony (Last Name, Fist name).

What people make mistake here, some user specify their name as below

• Gerald
• G.Anthony
• GA
• Anthony
• AGeral
• etc.

This makes confusion as it doesn't contain true information.

Let me know how you peopls manage user identity

This is a social problem, and should be solved by social means.

If you really want to be sure who checked something in, you should use signed tags (with a public key signed by some company-central CA).

You cannot really enforce that with Git alone (unless you are rethinking the all Distributed model), but if you have some encapsulation around your Git repo server, like gitolite, you can use some scripts to check the username:

For instance: update.email-check.

Gitolite specific script to check "author email" field of every commit pushed and to disallow if this email does not match the email that the user pushing is expected to have.

The "Philosophical Notes" included in that scripts are quite blunt but alos to the point ;)

Philosophical notes:

Doing this breaks the "D" in "DVCS", forcing all your developers to work to a centralised model as far as pushes are concerned.
It prevents amending someone else's commit and pushing (this includes rebasing, cherry-picking, and so on, which are all impossible now).
It also makes any off-line collabaration between two developers useless, because neither of them can push the result to the server.

PHBs should note that validating the committer ID is NOT the same as reviewing the code and running QA/tests on it. If you're not reviewing/QA-ing the code, it's probably worthless anyway. Conversely, if you are going to review the code and run QA/tests anyway, then you don't really need to validate the author email!

In a DVCS, if you pushed a series of commits, you have -- in some sense -- signed off on them. The most formal way to "sign" a series is to tack on and push a gpg-signed tag, although most people don't go that far.
Gitolite's log files are designed to preserve that accountability to some extent, though; see contrib/adc/who-pushed for an admin defined command that quickly and easily tells you who pushed a particular commit.

Anyway, the point is that the only purpose of this script is to

• pander to someone who still has not grokked *D*VCS
• OR tick off an item in some stupid PHB's checklist

It is possible to add a signed tag to a commit to provide some sort of verification.

Protecting .gitconfig will not solve the problem, since a user can override those settings by setting GIT_AUTHOR_NAME and GIT_AUTHOR_EMAIL.