User masquerading - audit trail?

[Matt Mackall]

On Fri, 2008-10-03 at 12:12 -0700, Kurt Granroth wrote:
> Mercurial allows you to set the username for patches to anything you
> want.  This makes is trivially simple to masquerade as somebody else.

Given that Mercurial is a distributed system, not only is it trivial, it
is unpreventable. The user has complete control of the execution
environment on their laptop and can tell hg whatever name it wants.

> For instance, say I have the ability to write to the primary hg repo.
> For whatever reason, I decide to commit a patch under the username "Matt
> Mackall <mpm at selenic.com>".  There's nothing in hg that will stop me
> from pushing the patch as-is.  Now we have a patch in the repo that
> claims to be authored by somebody other than who really did it.
> 
> How can I detect that?  In all the tests I've done, the masquerade is
> pretty complete.  I cannot find any way of seeing who really created any
> given patch.
> 
> What I'm hoping for is some way to identify a patch by the ssh username.
>  Something like a 'Pushed by: kurt at selenic.com' even though the username
> says 'Matt'.

Presumably the 'server' would be adding this information. But there's
really no special notion of server (any client can also be a server), so
there's no notion of a server being more trusted than anything else.
What happens when the 'server' pushes the chain set up another level?
Now you need 'Pushed by: kurt according to the repo at 10.0.0.1/tmp'.
Hmm, that's not very useful. Nor is it hard to fake (much like
Received-by: headers in email).

> Is there anything like that?

No, but there is a gpg extension for digitally signing things.

-- 
Mathematics is the supreme nostalgia of our time.