Access control - author authenticity using a shared integration repository
Stanimir Stamenkov
s7an10 at netscape.net
Sun Jan 3 13:52:17 CST 2010
Wed, 30 Dec 2009 12:36:59 +0100, /Martin Geisler/:
> Stanimir Stamenkov <s7an10 at netscape.net> writes:
>
>> [...] So it should be possible for a user to push changesets of other
>> authors. In this scenario I don't see anything preventing a user to
>> forge a changeset with the credentials of another. How do you deal
>> with this?
>
> You don't :-) It is my my opinion that if you trust and Alice and Bob to
> push changes directly to a repository, then you should also trust them
> not to forge changesets in inappropriate ways.
>
> I say 'inappropriate' since being able to commit changes under a "false"
> identity is a feature. (...)
I don't actually need to prevent people from doing it but need to
have log of their actions so they can be audited and held
accountable for. For this a post-commit hook (as suggested by
Thomas in another reply) or the extension you've given references to
should work just fine. I wanted to know if there are ready
solutions, and what they are.
>> Is there trace of the push operations - who have done and what
>> changesets have been added with them?
>
> Not by default. But if you search for 'pushlog', then you'll find
>
> http://mercurial.selenic.com/wiki/SonicHgExtension
>
> and
>
> http://hg.mozilla.org/mozilla-central/pushloghtml
>
> I'm not sure where the code is for the Mozilla pushlog, but I'm sure you
> can find it if you ask them.
Thank you and the others for the valuable feedback.
--
Stanimir
More information about the Mercurial
mailing list