Menu
One thing that is important with version control is knowing who made what change. If something was changed and I had no idea why the change was made, I would look in the history and ask the person who made the change. As I am exploring git, one thing that makes me a little nervous about this feature is that it seems really easy to fake. What is stopping me from putting a co-workers name/email in the git global config for user.name and user.email? When using something like gitosis/gitolite (which defined users) or github (which I assume using something like gitosis/gitolite), is there any wyy to see who truly made a commit?
319
git log --oneline is a great way to view commit history by displaying the first seven characters of the SHA-1 hash and commit message of the commits on the current branch. git log --oneline --graph presents commit history in a ASCII graph displaying the different branches in the repository and their commits.
The git log command shows a list of all the commits made to a repository. You can see the hash of each Git commit , the message associated with each commit, and more metadata. This command is useful for displaying the history of a repository.
For Windows: Users can navigate to the log/history window through the Log/History tab way below. Users can also alternatively press CTRL+2, or navigate it through View > Log View.
Use git checkout & the ID (in the same way you would checkout a branch) to go back: $ git checkout <commit-id> .
Gitolite logs (in .gitolite/logs/gitolite-*) the Gitolite user for each push. There is a bit more work to determine the push that introduced a particular commit, but it should be straight forward (one way: drop light-weight tags at the tip of each push, then use git name-rev to find the first tag after the commit).
Most Gitolite users probably only have a single SSH key associated with them (keydir/user.pub), but it is possible for a single user to have multiple SSH keys (keydir/user@*.pub).
So, for SSH-based Gitolite, you can map each commit to one (or more) SSH keys.
Whether you trust an SSH key to accurately identify a particular person is another question (i.e. do you trust the users to keep their private SSH keys secure?).
Gitolite can also moderate Git access over “smart HTTP”. In that case, the web server supplies the Gitolite username in the REMOTE_USER environment variable (i.e. instead of using the .ssh/authorized_keys file to identify the user based on the SSH key). The identification and authentication is completely up to the web server itself (usually just a username and password, but per-user SSL certificates could be used to do something more like SSH-based access).
So, for HTTP-based Gitolite, you can map each commit to an authentication done by the web server.
GitHub has some similar information and that can be queried through the Events part of the GitHub API (previously it only seemed to be available as part of the “Newsfeed” entries for your watched repositories). Each PushEvent identifies the GitHub user that executed the push, the name of the ref (branch) was updated, the name (SHA1 hash) of the new ref “head” (the new tip of the updated branch), and a list of commits.
141
This is not a ethics or philosophy forum, afaik; BUT
git allows signed commits and signed tags. This should help you feed your paranoia :)
21
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
