Details
-
Suggestion
-
Resolution: Fixed
Description
Hi everyone,
Thanks to everyone for voting and commenting on this suggestion. Your input in the comments helps us understand how this affects you and what you're hoping to accomplish with Bitbucket Server.
This suggestion is currently under consideration by the Bitbucket development team, however we're not able to provide a timeline for when it will be resolved. Learn more about our process here.
Regards,
Norman Ma
Product Manager - Bitbucket Server
Briefly:
With Git, users simply "declare" their identity within the configuration of the Git client, which ends up being recorded as the "author" when commits are made against a repository. However, when pushing to a repository hosted within Stash, the identity used to authenticate to the repository may be different then that identity that was recorded when the commits were made.
Furthermore, there is no reliable way to verify or be reasonably certain that commit X was actually performed by user Y. The user could simply have declared their identity to be something false. The lack of a reliable audit trail of changes is a significant issue, particularly for corporations.
One solution to this issue is to require users to perform signed commits (or in the case of pull requests, only allow pull requests against a signed commit tag). The ability is needed to configure a repository to only allow commits that have been signed and verify that the signature is both valid and trusted. At present, this seems to be the only way to establish a reliable audit trail within Git.
Some sources for details:
http://git-scm.com/book/en/Git-Basics-Tagging
http://mikegerwitz.com/docs/git-horror-story.html
http://git-blame.blogspot.com/2012/01/using-signed-tag-in-pull-requests.html
Attachments
Issue Links
- is duplicated by
-
BSERV-7983 Possibility for developer spoofing at a git level with BB Server
-
- Closed
-
-
- Closed
-
- Closed
- is related to
-
- Closed
- relates to
-
- Closed
