Determine which computer a git commit came from

Question

Lately I've been exploring the vast and terrible world of intellectual property law and people seem to think that if you create something(software) on your time, with your equipment, it typically belongs to you. I know there are many exclusions to this and a couple of really good and informative posts on the subject. But now I'm mostly just curious about the means someone violating this agreement could be proven guilty.

My question is, is it possible to link a specific git commit to the computer it was committed with? How?

Answer 1

When you push to a Git repository over HTTP, HTTPS, or SSH, the remote server generally creates logs of what time the connection occurred and what IP address it originated from. However, most companies employ NAT, resulting in multiple computers on a network sharing the same public IP address.

Some examples logs:

# SSH
Feb  8 01:08:37 git-server sshd[12619]: Accepted publickey for git from 192.168.1.100 port 63012 ssh2: RSA SHA256:XxXxxXxxXXXxXX
Feb  8 01:08:37 git-server sshd[12619]: pam_unix(sshd:session): session opened for user git by (uid=0)

# Apache HTTP(s)
192.168.1.100 - - [8/Feb/2016:22:03:18 +0000] "GET /repos/info/refs HTTP/1.1" 200 153

Additionally, Git is decentralized, so the computer that actually pushed a commit did not necessarily author the commit.

A commit is generally tied to a name or username of some sort, and an email address; however, this can be changed at the time of committing without creating a record of what it was before and what it is now.

This is as simple as:

$ git config user.name "John Doe"
$ git config user.email [email protected]
$ git commit
$ git config user.name "Jane Otheruser"
$ git config user.email [email protected]

So, in short, there are heuristics that can point to who authored a commit and from where, but it is absolutely not absolute. Git itself does not record unique identifying information about the computer on which a commit was authored.

Version Control Systems like Subversion, in which all commits are immediately pushed to one central repository, are more easily linked to a Public IP, but are still not linked to an individual computer or user.

Answer 2

is it possible to link a specific git commit to the computer it was committed with?

If you have access to the possible machines, and with some caveats, yes.

Under normal circumstances, the machine from which the commit was created might have a distinct reflog entry that no other machines would have. For example, if the commit ID is 8fbfdbf750, then at most one machine would have an entry similar to this:

8fbfdbf750 (HEAD -> user/ttt/add-cool-thing-1) HEAD@{15}: commit: Add cool thing 1

It's certainly possible that other machines would have that commit ID listed somewhere in their reflog but it wouldn't contain the same string "commit:".

That being said, you probably shouldn't use this method for legal purposes, since there are some pretty significant caveats:

1. It's possible the relevant reflog entries have been purged. (The default is 90 days but they can be purged sooner, and even specific logs can be purged on demand.) The lack of a reflog entry doesn't confirm the commit wasn't created on a machine.
2. It's possible someone could purposefully tamper with the reflog on a machine under their control. For example, it's pretty straight forward to re-create the identical commit ID (by re-using the same state, parent commit, author, and dates) on another machine with the sole purpose of re-creating the identical commit and subsequent reflog entry.
3. If someone copies the entire .git directory from one machine to another, the reflog will go with it.

However, in the general sense, if you're just trying to answer the question, "From where did I make this commit?", if the commit was recent enough and you have no reason to assume any of the machine's reflogs have been tampered with, this method may work.