[Kde-scm-interest] Distributed model VS accountability

Thiago Macieira thiago at kde.org
Fri Nov 23 16:06:11 CET 2007


Em Thursday 22 November 2007 22:58:29 Robert Wohlrab escreveu:
> Let's do a "git-config user.name \"Aaron Seigo\"" and a "git-config
> user.email \"aseigo at olympusproject.org\"" and now do some commits with some
> nice, hidden security holes in it. Now change your name and mail back, do
> some nice double checked commits and push it to the official server (or let
> somebody else fetch).
> Some months later, slashdot will have a news about "kde allows everyone to
> get root access and aaron seigo was it".
>
> Now let the discussion begin.

Yes, that's what I meant.

Here's an example:

$ cd kdelibs
$ git pull
$ [add questionable code]
$ GIT_COMMITTER_NAME="Thomas Zander" \
  GIT_COMMITTER_EMAIL=zander at kde.org \
  GIT_AUTHOR_NAME="Thomas Zander" \
  GIT_AUTHOR_EMAIL=zander at kde.org \
  git commit -m "Questionable commit"

$ git cat-file -p HEAD
tree 17e9962ec1e7a483d95b295739dcc2d5a24fadac
parent e4313d5f83056b15d432bbb3c7a964e1741fd444
author Thomas Zander <zander at kde.org> 1195830248 +0100
committer Thomas Zander <zander at kde.org> 1195830248 +0100

Questionable commit
$ git push

After that push, how can one tell that it was I who sent the questionable 
commit, not Thomas?

-- 
  Thiago Macieira  -  thiago (AT) macieira.info - thiago (AT) kde.org
    PGP/GPG: 0x6EF45358; fingerprint:
    E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://mail.kde.org/pipermail/kde-scm-interest/attachments/20071123/65ba1fdb/attachment.pgp 


More information about the Kde-scm-interest mailing list