Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-2642

Push Traceability

XMLWordPrintable

    • We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Atlassian status as of April 2020

      Hi all,

      I'm excited to share that in Bitbucket Server 7.1 we shipped Push log feature that allows admins to see the history of all push events in a repository.

      You can find more information in the Bitbucket Server 7.1 release notes and Push log docs.

      Please, don't hesitate to leave feedback on the feature in the comments. This will help us to priorities further development.

      Bitbucket also has several features that help sign and verify commits:

      • Committer Verification hook which verifies that the committer for each new commit being pushed matches the credentials of the person doing the push.
      • Verify Commit Signature hook requires GPG-signed commits in order to push. When it is enabled, each new commit or tag must be GPG-signed with a valid key, and that key must be associated with an active user account on the server. Otherwise the push is rejected.

      Anton Genkin
      Product Manager Bitbucket Server

      Original request description

      When performing a push, the author that is displayed by Stash is just taken from the author in the local git configuration, so essentially another developer can commit code against another developer's name and push it to the server to make it appear like that developer committed the code change.

      In other words, when performing a push, stash doesn't ensure that the user performing the push is the same user as the GIT comitter. This allowed an authenticated user to push updates that appear to come from a different user by configuring their local GIT client with a different username/email address. I can see we may be able to work around this by implementing a GIT hookthat checks the REMOTE_USER variable exposed by Stash.

      Are there plans to implement this functionality directly into the product to improve security?

      We need to have complete traceability on the push to the shared repository, is there a way of achieving this with Stash

        1. validate-username
          1 kB

          Form Name

            [BSERV-2642] Push Traceability

            Lisa Kaufman (Inactive) made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 498706 ]
            Lisa Kaufman (Inactive) made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 492054 ]
            Lisa Kaufman (Inactive) made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 490563 ]
            Anton Genkin (Inactive) made changes -
            Fix Version/s New: 7.1.0 [ 91605 ]
            Anton Genkin (Inactive) made changes -
            Resolution New: Fixed [ 1 ]
            Status Original: In Progress [ 3 ] New: Closed [ 6 ]
            Anton Genkin (Inactive) made changes -
            Description Original: {panel:title=Atlassian status as of June 2017|borderStyle=solid|borderColor=#3c78b5|titleBGColor=#3c78b5|bgColor=#e7f4fa}
            Hi everyone,

            Thanks to everyone for voting and commenting on this suggestion. We have new features to verify the commits which consequently help in push traceability:
             * Bitbucket Server 5.0 included [Committer Verification hook|https://confluence.atlassian.com/bitbucketserver/bitbucket-server-5-0-release-notes-889528342.html#BitbucketServer5.0releasenotes-Committerverification] which verifies that the committer for each new new commit being pushed matches the credentials of the person doing the push.
             * Bitbucket Server 5.1 included [Verify Commit Signature hook|https://confluence.atlassian.com/bitbucketserver/bitbucket-server-5-1-release-notes-902140366.html#BitbucketServer5.1releasenotes-GPGsignedcommits] to require GPG-signed commits in order to push. When it is is enabled, each new commit or tag must be GPG-signed with a valid key, and that key must be associated with an active user account on the server. Otherwise the push is rejected.

            Enabling both these hooks, you can assure that all the commits pushed to Bitbucket are valid and secure.

            Also, with the above hooks, we satisfy the original request but, we are keeping the issue open as many of you are asking for push traceability for auditing/compliance which is currently under consideration. However, we're not able to provide a timeline for when it will be released. We're currently looking into what solution or solutions would best satisfy the needs we've heard from you. [Learn more about our process here|https://community.atlassian.com/t5/Answers-Developer-Questions/How-does-the-JIRA-team-use-jira-atlassian-com/qaq-p/475688].

            Regards,
            Imran Khan
            Product Manager - Bitbucket Server
            {panel}
            *Original request description*

            When performing a push, the author that is displayed by Stash is just taken from the author in the local git configuration, so essentially another developer can commit code against another developer's name and push it to the server to make it appear like that developer committed the code change.

            In other words, when performing a push, stash doesn't ensure that the user performing the push is the same user as the GIT comitter. This allowed an authenticated user to push updates that appear to come from a different user by configuring their local GIT client with a different username/email address. I can see we may be able to work around this by implementing a GIT hookthat checks the REMOTE_USER variable exposed by Stash.

            Are there plans to implement this functionality directly into the product to improve security?

            We need to have complete traceability on the push to the shared repository, is there a way of achieving this with Stash             		New: {panel:title=Atlassian status as of April 2020|borderStyle=solid|borderColor=#deebff|titleBGColor=#deebff|bgColor=#ffffff}
            Hi all,

            I'm excited to share that in Bitbucket Server 7.1 we shipped *Push log* feature that allows admins to see the history of all push events in a repository.

            You can find more information in the Bitbucket Server 7.1 [release notes|https://confluence.atlassian.com/bitbucketserver/bitbucket-server-7-1-release-notes-998641213.html] and Push log [docs|https://confluence.atlassian.com/bitbucketserver/push-logs-998882984.html].

            Please, don't hesitate to leave feedback on the feature in the comments. This will help us to priorities further development.
            ----
            Bitbucket also has several features that help sign and verify commits:
             * [Committer Verification hook|https://confluence.atlassian.com/bitbucketserver/bitbucket-server-5-0-release-notes-889528342.html#BitbucketServer5.0releasenotes-Committerverification] which verifies that the committer for each new commit being pushed matches the credentials of the person doing the push.
             * [Verify Commit Signature hook|https://confluence.atlassian.com/bitbucketserver/bitbucket-server-5-1-release-notes-902140366.html#BitbucketServer5.1releasenotes-GPGsignedcommits] requires GPG-signed commits in order to push. When it is enabled, each new commit or tag must be GPG-signed with a valid key, and that key must be associated with an active user account on the server. Otherwise the push is rejected.

            Anton Genkin
             Product Manager Bitbucket Server
            {panel}
            *Original request description*

            When performing a push, the author that is displayed by Stash is just taken from the author in the local git configuration, so essentially another developer can commit code against another developer's name and push it to the server to make it appear like that developer committed the code change.

            In other words, when performing a push, stash doesn't ensure that the user performing the push is the same user as the GIT comitter. This allowed an authenticated user to push updates that appear to come from a different user by configuring their local GIT client with a different username/email address. I can see we may be able to work around this by implementing a GIT hookthat checks the REMOTE_USER variable exposed by Stash.

            Are there plans to implement this functionality directly into the product to improve security?

            We need to have complete traceability on the push to the shared repository, is there a way of achieving this with Stash
            Alexandre Carlton made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 476375 ]
            Anton Genkin (Inactive) made changes -
            Status Original: Future Consideration [ 11775 ] New: In Progress [ 3 ]
            Anton Genkin (Inactive) made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 469508 ]
            Kim Tan made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 462216 ]

              Unassigned Unassigned
              mmangier Malik Mangier (Inactive)
              Votes:
              146 Vote for this issue
              Watchers:
              134 Start watching this issue

                Created:
                Updated:
                Resolved: