Reputation: 33
Security questions on Git
Some developers of my company would like to use Git (and GitLab) instead of Subversion. We develop software for the financial sector, so the use of the version control system must be secure.
Question 1
You can manipulate git config user.name and git config user.email in order to pretend to be someone else (e.g. an ex-colleague). Can you prevent this or at least find out who did this?
Question 2
You can manipulate the date of your commit using the environment variables GIT_AUTHOR_DATE and GIT_COMMITTER_DATE. Can you prevent this or at least find out who did this?
Upvotes: 3
Views: 76
Answers (1)
Reputation: 155525
When moving from Subversion to git, it is important to bear in mind that a git commit doesn't precisely map to an svn commit. In git, there is a separate step of creating one or more commits, and pushing them to the server.
What you want to closely monitor are the push operations, because those actually change the state of the repository as observed by others. Also note that a single push may introduce many new commits, sometimes by different authors. As for security:
In a typical git server, a push is authorized using an SSH key, so it should be as secure as SSH itself (i.e. very secure).
Individual commits can further be signed.
Dates recorded in the commit are mostly irrelevant because again what matters is the time a set of commits is pushed to the server. Individual commit dates serve as more of a reminder to the author than as a serious tracking tool. You need to check with your git provider whether and how they track times of pushes received from users.
Upvotes: 4
Related Questions
- GitHub security issue in a repository
- On gitlab permissions
- Working on projects on GitLab from untrusted computers
- Git push and commiter
- The .git directory and security
- GitLab Permissions
- Security in Gitlab. With gitolite?
- Protecting sensitive information in Git
- Github Security - Public Project
- Questions about using Git