Details
-
Suggestion
-
Resolution: Unresolved
Description
On the Commit page that shows the commit history it should be showing the account that pushed up the commit set. The user that is currently displayed is the e-mail in the ~/.gitconfig which provides no security or accurate measure of who "actually" triggered the commit. A user could easily push a malicious commit appearing as someone else and if it was not caught in the activity feed the historical information of who actually made the change would be lost. Currently the information on who pushed a commit or set of commits up is only shown in the activity feed which in an active team is lost very quickly.
This is less than ideal and the perception of most companies is the commit page is showing users who authenticated to push the change set(s). Upon finding out it was simply the ~/.gitconfig e-mail I was greatly concerned. I consider this to be a bug, what is the point of security and auditing if it is completely meaningless and can be maliciously spoofed?