Issue #2672 wontfix

Raw_author can be used by other an user for putting events on other user's timeline (BB-319)

masterbranch
created an issue

I'm from masterbranch.com I'm now working on BitBucket's support and I found what can be an issue with users and raw_authors while I was dealing with the verification of authors.

For instance If I set up my ~/.hgrc as {{{ [ui] username = Jesper Noehr <With his mail at the commit changesets> verbose = True }}}

I can push changes to a repository which I'm the owner after login with my account e.g masterbranch

And when the commit is pushed, everything is OK, but instead of putting my BB user id as the author, is the raw_author (that i set up in my system) user id, and is also putted in their activity timeline, in this case if I use this .hgrc will be jesper.

Is not a critical issue, but can be "exploited" for spamming/ annoying purposes I think.

Cheers

Comments (4)

  1. Dylan Etkin

    Hello,

    You are correct, there is nothing stopping someone from making commits with an author string that impersonates someone else. This is a fundamental issue related to the nature of DVCS.

    The one way we could solve this would be to support signed commits. We have an issue for this in our backlog but it is not really high on the radar.

    I am sorry I could not help more,

    Dylan

  2. Log in to comment