Force user to be System user?
Michael Thomas
mlists at bigrideau.com
Thu Aug 6 16:40:56 CDT 2009
Douglas Philips wrote:
> On or about 2009 Aug 6, at 3:42 PM, Michael Thomas inquired:
>> Noob question but googling provided no answers.
>>
>> Is there a way to force the user name of the commiter to be that of the
>> user account being used? My naive understanding is that using -u one
>> can make the user be anything one wants? In that scenario how do people
>> audit who has commited what?
>
> No, there isn't. In a distributed system you're just getting bits over
> the wire.
> How do you know you can trust the remote system's notion of a user
> anyways?
> (This is a big problem, much much bigger than Mercurial)
I should have been more clear. I was thinking of a situation where there
is a central repository that the user is pushing to. So, if for example
I was pushing to ssh://fred@foo.com/repo hg would use fred as the user
making the change rather than a random user I might specify using -u. In
that case you at least see where a "real" user made the integration into
the central repository.
Note that this isn't about trust, its about being able to easily
identify who did what and when. The ability to record the ssh user as
the comitter actually allows me to leave the repository open to all
users. Without it I need to go to a staging strategy or some other
intermediary step I would rather not have to go to.
A real world example that has nothing to do with trust: Show me all the
changes made by bob. Well, on bob's work machine he uses bob at work.com,
at home he makes a typo and its boob at work.com, or he uses his internet
handle crazyivan. In all cases bob is making the push to the central
repository, and I trust Bob, but I can't consistently map his changes
back to him. This example sounds foolish, but if you are dealing with
100's of developers these things will materialize, guaranteed.
As you note below, I'm under no illusion that this provides any sort of
iron clad security, there is no such thing.
>
> Which isn't to say that Mercurial can't help.
> You might want to consider:
> http://mercurial.selenic.com/wiki/GpgExtension
> if you want some assurances about authenticity.
> (How can you be sure that the signer didn't give their private key
> away or have it stolen? Security is a matter of degree with trade-offs
> up and down the spectrum. Luckily Mercurial doesn't delude its users
> into thinking that there is an easy answer. Also luckily, it provides
> GpgExtension and in general provides hooks and other mechanisms so
> that it can be tuned to the level of paranoia/security of its users.)
>
> -Doug
>
More information about the Mercurial
mailing list