On Wed, Nov 24, 2021 at 05:36:55AM -0800, Ayush Bisht wrote: > Hey there, I'm Ayush. I'm using git since 2 years and today I found an > issue. > I was cloning a repo with SSH key, and after that I locally config that > repo with an email. But the problem is that, I have entered the wrong email > which belongs to an account. So when I committed some changes , I found > that the commit was done by that user (with that wrong email ) on that > repo. at github. > > I think it should not be the case. > I want to know more about this, and if it needs to fix then I would love > to work with you.
This is not a security issue for a number of reasons. First, having a commit attributed to a wrong person due to such misconfiguration is way less severe a possibility than injecting malicious code to that same software project (if the project is not managing a piece of software, imagine any other harm which might result from inserting malicious modifications to _the content_ - as opposed to metadata, which e-mail addresses are parts of). To generalize, if someone has write access to the repository, all bets are off anyway because that person can do whatever they want to that repository, and hence that is more the question of the level of truth. Next, please consider that Git actually has two fields in the metadata block of a commit which can contain e-mail addresses: the author (of the change) and the committer - whoever integrated (committed) the change to the repository. This is needed to cover at least the following two cases: rebasing (when Bob rebases a series of commits made by Alice) and integrating a patch sent by e-mail or transferred via other means (such as off-line). You might be surprised to learn that both Linux and Git project heavily rely on patch series being submitted to mailing lists, reviewed there and applied _from there_ (by the `git am` command). >From that, it naturally comes that a particular person working on a project might legitimately have an unbounded number of e-mail addresses - for instance, I could submit a patchset done at my $dayjob, and it hence would have been sent from my work e-mail, and I could submit another patchset which I've done at home, and it would have been sent from my personal e-mail. Next, Git does have a mechanism for enforcing a decent level of security - "signed tags". When creating a tag, Git allows the creator to sign it with a PGP key, in which case the tag becomes "annotated", with the annotation holding (the ASCII rendition of) the generated signature. This allows anyone having access to the public part of the signer's key (and they are naturally public and published) to verify the authenticity of that tag and since the tag refers to the Git object it points at (usually commit) by that object's cryptographic hash, this allows to transitively authenticate the whole subgraph of commits reachable from the tagged one. This mechanism is routinely used by the Linux project to make official releases. Using of such approach presupposes whoever approved a series of changes have actually reviewed them (or trusts whoever have done such review), but, as I've already said, verifying the authors of commits to "be sensible" is by no means more important than verifying the code is sensible. Having said that, I would say I could see a point that in certain cases it may be useful to authenticate the identities of the authors of each and any commit but then we're going to face a problem of exactly how to do that. (I mean it is definitely doable - even in a low-tech fasion, by using only shell scripting an some external tools such as OpenPGP or OpenSSH, - but there cannot be a one-size-fits-all approach.) Another point is that you have mentioned Github. The only relation Github has to Git is that it hosts Git repositories. Github is not in any way required to manage Git project, and quite a lot of Git projects are managed in ways quite different from the workflows suggested/forced by Github. So if your question was really about using Git in the context of Github, I think it could be better for you to ask it on any of the communication venues provided by Github (this mailing list is not about using Github). -- You received this message because you are subscribed to the Google Groups "Git for human beings" group. To unsubscribe from this group and stop receiving emails from it, send an email to git-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/git-users/20211124141540.tc57oy7f54orhddi%40carbon.
