Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
montroser 4 hours ago

I used to work at a startup with a character who would set his identity to be random fairytale-sounding nonsense, changing every day. So his commits on Monday would be attributed to Mr. Bunnymann, and Tuesday would be Doctor Funtime, etc.

It was super unhelpful when trying to do version control forensics. But if I'm being generous, I think maybe he was trying to remind everyone that anyone can put anything in their identity config, and we shouldn't trust whatever is in there for all that much.

necovek 2 hours ago | parent | next [-]

If yours was a "blameless culture", when you did "version control forensics", you didn't really care about who did it, but when it happened and around what other changes (to understand the broader context)? Right? (Though obviously, it helps to know who did something so you can ask them directly if they remember more details, or so you know what to expect when it comes to style and expertise :)

Anyway, if you simply[1] require commits to be signed with GPG, and enlist what GPG identities are acceptable, you are pretty much set (and you can instead rely on the signature instead of the author/committer metadata to identify the actual author).

[1] "Simply" and GPG signing don't always go hand-in-hand, I admit.

Ferret7446 2 hours ago | parent | prev | next [-]

You should trust it as much as you trust any document written/signed by your employees. Which is to say, if you can't trust your employees to not properly identify their commits, you should fire them.

helloooooooo 2 hours ago | parent [-]

No, the previous commenter is saying that you cannot trust the identity provided in commits period. This has nothing to do with trusting employees, rather placing trust in the identity in commit.

theamk an hour ago | parent [-]

This is true in general internet, but workplaces are normally more high-trust. If one needs to guard themselves against hacking by their co-worker, they have less time and energy to do actual work.

So a fiction character is maaybe OK, as long as it is clearly fictional name and no one else in the company does that; but other stuff, like actually impersonating other co-workers would be very bad, and should eventually leave to firing.

spacemanspiff01 4 hours ago | parent | prev | next [-]

Did he use the same signing key? (If we are being generous)

kevindamm 3 hours ago | parent [-]

I don't think you can -- the key's identity needs to match the name/comment/email it was generated with. You would have to regenerate after every name change to have them all verified (and keep them all in file with the got server afterwards, too).

tecleandor 2 hours ago | parent | next [-]

I'd say that in general it verifies it with the email, but it depends.

I just did a test with four commits with a signature matching both on user and email, only on email, only on user, and in none of them and:

From GitHub, it validates signatures with the email registered in the commit: If the signature matches the key registered for the GitHub user with that email address, it says "Verified" in a green box. If it doesn't , it says "Unverified" in a yellow box.

So GitHub "Verified" two commits: the one that matches all the fields and the one that only matches the email.

From git CLI, it depends on your configuration.

If you do a `git log --show-signature` at first it will complain with `error: gpg.ssh.allowedSignersFile needs to be configured and exist for ssh signature verification`. You need to set up a file with your trusted ssh signatures.

Once you set that up, it will verify ALL correctly signed commits, even if they don't match the commit email address. Seems like the signature and the commit can have different emails, so to speak: "commited by fake@email.com and signed by real@email.com. The signature is valid by real@email.com".

Example I did, changing the email addresses:

  git show --show-signature 11906e1
  commit 11906e14155ae08b7e7e23f26aa9c04913ade5dd
  Good "git" signature for good@email.com with ED25519 key SHA256:9uU6+7pNNzwVEKTecpJE4Bmm2WXaqZXMZRLe9rJZ0ZY
  Author: fake name <fake@email.com>
  Date:   Mon Nov 25 13:36:28 2024 +0100
TeMPOraL 3 hours ago | parent | prev [-]

> needs to match the name/comment/email

Is that "/" an "and", or an "or"? I'd expect only e-mail has to match, leaving you free to change the user name.

edejong 3 hours ago | parent | prev | next [-]

People paid him for such nonsense?

7bit 3 hours ago | parent [-]

The service came at no additional cost

est 2 hours ago | parent | prev [-]

git has built in support to separate author and committer I believe he/she is just changing the author property.