Loading...

XML

Word

Printable

Details

Type: Suggestion
Resolution: Fixed
Fix Version/s: 7.1.0
Component/s: Git Hosting
Labels:

Feedback Policy:

We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

Description

Atlassian status as of April 2020

Hi all,

I'm excited to share that in Bitbucket Server 7.1 we shipped Push log feature that allows admins to see the history of all push events in a repository.

You can find more information in the Bitbucket Server 7.1 release notes and Push log docs.

Please, don't hesitate to leave feedback on the feature in the comments. This will help us to priorities further development.

Bitbucket also has several features that help sign and verify commits:

Committer Verification hook which verifies that the committer for each new commit being pushed matches the credentials of the person doing the push.
Verify Commit Signature hook requires GPG-signed commits in order to push. When it is enabled, each new commit or tag must be GPG-signed with a valid key, and that key must be associated with an active user account on the server. Otherwise the push is rejected.

Anton Genkin
Product Manager Bitbucket Server

Original request description

When performing a push, the author that is displayed by Stash is just taken from the author in the local git configuration, so essentially another developer can commit code against another developer's name and push it to the server to make it appear like that developer committed the code change.

In other words, when performing a push, stash doesn't ensure that the user performing the push is the same user as the GIT comitter. This allowed an authenticated user to push updates that appear to come from a different user by configuring their local GIT client with a different username/email address. I can see we may be able to work around this by implementing a GIT hookthat checks the REMOTE_USER variable exposed by Stash.

Are there plans to implement this functionality directly into the product to improve security?

We need to have complete traceability on the push to the shared repository, is there a way of achieving this with Stash

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

validate-username
1 kB
31/Jan/2013 3:57 PM

Issue Links

duplicates

BSERV-10597 Branch event in Audit logging

Closed

is duplicated by

BSERV-7559 Can Stash reject commits if the email address being used to commit doesn't match any Stash user

Closed

BSERV-9063 As a user, I'd like to know which authenticated user added a commit to a repository in Bitbucket Server

Closed

is related to

BSERV-2717 Provide the ability to require and validate signed commits and commit tags

Closed

BSERV-2715 Show push date in addition to commit date for commits

Gathering Interest

relates to

BSERV-4587 Increase priority of push events for Audit Log

Closed

BSERV-8868 Show both author and committer information on Bitbucket Server UI

Closed

BSERV-8875 Smart Commits - only run actions from commits authored by the pusher

Closed

SSP-8471 Loading...

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(4 relates to, 15 mentioned in)

Activity

People

Assignee:: Unassigned

Reporter:: Malik Mangier (Inactive)

Votes:: 146 Vote for this issue

Watchers:: 134 Start watching this issue

Dates

Created:: 16/Jul/2012 3:00 PM

Updated:: 10/Aug/2020 5:02 PM

Resolved:: 02/Apr/2020 12:34 AM