> > That's not correct AFAIK. Usually, the PR *opener* (not merger) is > listed as the git author and Github is listed as the committer. This > is a gotcha that bit us before when a PR had to be reworked and > recommitted from another person, and then was finally squashed. >
Any chance that that behaviour depends on a) if there's one or multiple commits, b) one or multiple authors of those commits? Because your statement doesn't seem to align with my experience on that matter. Except when squashing a single commit, which is transferred unmodified other than the commit comment. Following feature update seems to indicate that what I'm saying is not complete nonsense. https://github.blog/changelog/2022-09-15-git-commit-author-shown-when-squash-merging-a-pull-request/ > > Unfortunately not, it only testifies that Github created the commit. > In the best case (relying on Github's rules that may or may not change > in the future), we could say it testifies who the creator of the PR > was which still does not say anything about the contents of the commit > (or even through which PR it was merged). Most of this information can > be accessed through the GH UI but it's not recorded in the commit. > It's a common problem when doing code archeology to trace back how and > where things have originated... > > It sure seems like there an element of surprise to the matter https://github.com/isaacs/github/issues/1368 > > From my experience, OS is often more strict and principled about these > things than enterprises which often take whatever works as long as > there's some progress ;) > > Well, not a contradiction at all. Taking "what works" is helped by placing some (not all) trust in audit trails/traceability. Anyhow, I think in general commit spoofing is not a well lit complication of using Git, which did not exist with e.g. SVN. https://mikegerwitz.com/2012/05/a-git-horror-story-repository-integrity-with-signed-commits And while these guys haven't made many friends in OSS, I think they did highlight very important risks. https://www.phoronix.com/news/Hypocrite-Commit-Open-Letter But I will admit, the first doesn't really matter much if you systemically squash. Rebasing is another story though.
