Issue #2739 wontfix

Add service to reject changegroups with usernames that do not match writers (BB-1765)

created an issue

When we first switched to Mercurial from SVN, one of the things that bothered the project managers was the flexibly of the username field. In our subversion workflow the field used to securely track where code had entered the database from. In mercurial on the other hand, it was possible to push a malicious change ( a back door or something like that ) and make it appear to come from a different employee.

To solve this problem, I wrote a quick pretxnchangegroup hook that would look at each changeset and reject the push if it contained any changes that had a username different then the username that was authenticated to the server.

Because in our workflow we rarely push or pull among our selves this works pretty well. [ In a situation where we did share some change sets, we just take turns pushing incrementally. ]

It would be great if this kind of check could be turned on as an option in bitbucket. It's the one thing that's preventing me from making a strong recommendation to scrap our slow hg server and move to bitbucket.

Attached is our internal hook. We only push over HTTP, so it doesn't do user lookups based on key or anything like that.

Comments (5)

  1. David Chambers

    I don't understand why this is necessary, basicer, so I'm probably missing something. Are you worried that a developer on your team will pull a malicious changeset from somewhere and push it to the "master" repository?

  2. Log in to comment