Git "Git config --global user.name" why does this option exist?
Git Warning for Beginners! I have a basic question regarding WHY: GIT allows you to change the username as a config option
git config --global user.name trojan
Doesn't this option allow the committer gate to impersonate and create history / log confusion? Why isn't it as easy as taking the username from the credentials that are used to connect to GIT?
source to share
- As Greg points out in a comment , that can only work in a clean push workflow. There are many others, including clean-pull, email,
git bundle
or any combination of the two. - It cannot work for technical reasons: the identity of the commit is a cryptographic checksum of the complete contents of that commit, including the commit
author
and fieldscommitter
. They must be assigned during the creation of the commit and after assignment can never be changed: to "change" any part of the commit, you copy it to a new commit object, which receives a new hash code that is only identical to the original if the bit is the bit identical ... In other words, I can impersonate you by copying bit by bit bit by bit, including the entire source, log message, timestamps, etc. But for this I have to get your commit, after which my copy is just your commit. In this case, this is your commit and it should have your name on it! - There are often reasons why it is possible to decouple public identity (username and email) from any authentication credentials: for example, the credentials I use to authenticate to GitHub are different from those I use to authenticate to others. places. But I'm still the same person. One could add an "Identity-AND" authentication layer using credentials A and then the site matches AB to get my name (and in fact GitHub does exactly that with ssh, since one "logs in" like
git@github.com
), but that puts all the power in the hands of the site. This is contrary to design philosophy.
If you want to authenticate any particular commit action, you get a commit whose id 99154acf3ba...
or some of it, and it claims to be authored by Linus Torvalds or Bill Gates or Barack Obama or whatever - Git provides the ability to use some external authentication service, such as PGP, that uses digital signatures and all their complexities (including Chain of Trust and revocation). In this particular area, there are, shall we say, some current events, some of which have some effect on Git .
(PGP authentication with GPG is built into Git, but performed by external programs. A particularly glaring weakness here is that the signed tag or commit only validates one tag or the commit itself. Additional authentication depends on the security of the Merkle tree , which is not yet completely compromised for using Git SHA-1, but is suspicious: see the related StackOverflow question.)
source to share