User masquerading - audit trail?
Kurt Granroth
kurt.mercurial at granroth.com
Fri Oct 3 14:12:23 CDT 2008
Mercurial allows you to set the username for patches to anything you
want. This makes is trivially simple to masquerade as somebody else.
For instance, say I have the ability to write to the primary hg repo.
For whatever reason, I decide to commit a patch under the username "Matt
Mackall <mpm at selenic.com>". There's nothing in hg that will stop me
from pushing the patch as-is. Now we have a patch in the repo that
claims to be authored by somebody other than who really did it.
How can I detect that? In all the tests I've done, the masquerade is
pretty complete. I cannot find any way of seeing who really created any
given patch.
What I'm hoping for is some way to identify a patch by the ssh username.
Something like a 'Pushed by: kurt at selenic.com' even though the username
says 'Matt'.
Is there anything like that?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 257 bytes
Desc: OpenPGP digital signature
Url : http://selenic.com/pipermail/mercurial/attachments/20081003/a64e630e/attachment.pgp
More information about the Mercurial
mailing list