How to ensure commit author

Question

When I commit a code using git, I need to inform two global variables: user.name and user.email. However, I can put any email or information, inclusive other users or a invalid name or email. How git ensures this information?

Answer 1

You can easily get the best available security over inbound commits, however, it isn't git's job to choose how you authenticate—git can't control OS authentication—only to allow you to plug in the security system you choose. Git hooks, in particular the pre-receive hook, are implemented to do just that. GPG is widely chosen for its flexibility, for offering total control over what identification standards to trust, for its universal availability, and for having survived fifteen years of security auditing.

(edit: furthermore, git distinguishes between author and committer; since the effects of a commit can be re-applied in other histories, the commit author can be held responsible for the original work, but if the changes are re-applied elsewhere only the person applying them can be held responsible for the fidelity.)

(wording, typo, links)

Answer 2

It doesn't, you just got to trust who is pushing.

---

There are some workarounds for it and respective downsides:

• Checking in a update hook: it might deny a legit reuse of a commit of another author (when cherry-picking, e.g., as pointed out in here)
• Using more than one repository and GPG signing: a very bureaucratic solution
• Using sshd logging if you are using it through ssh: does not deny the operation though, it is just for consulting

You can also make your own using a pre-receive or update hook

Answer 3

Git does not ensure anything at all. You could enter anything. The information is not used by Git, it just gets noted in the commits.