3

Gitosis is able to authenticate users based on public/private key pair. It is able to find out which user is currently committing. However, the user name and email is taken from the client's Git configuration ('git config user.name' etc.), which can be set to arbitrary values. Is there any way to associate user names and emails with their public keys and then make Gitosis uses these names and emails as the name and email of the committer?

I do not care if I will use Gitosis or WebDAV or some other alternative to share the repository. It just seems to me that none of the available methods supports this enforcement of using some kind of "correct" user name and email. If there exists some alternative, please tell me about it.

k21
  • 259
  • 2
  • 7

2 Answers2

2

Note, you cannot have the server to actually set (overwrite) author or committer, because for this to work it has to modify the completely build commit objects (and all commits based on that).

And this will change the hash/id of the commit. So you can only reject them. (Technically of course you could create a new commit, but that would cause all kind of problems).

eckes
  • 10,103
  • 1
  • 59
  • 71
1

The example update-paranoid hook in Git sources does the following check:

For all new commit or tag objects the committer (or tagger) line within the object must exactly match one of the user.committer values listed in the acl file.

I guess that one can configure Gitosis or Gitolite to do similar check, or you can write your own upate or pre-receive hook. In all those cases the push must be done via "smart" transport, one that can use Git. This mean pushing via SSH, or via "smart" HTTP (git-http-backend); it excludes pushing via WebDAV ("dumb" HTTP(S)).

Note that it doesn't make sense to check authorship of commits, as they may come from patches send by email (it is committer that should check them before applying), or from cherry-picking or rebasing.

Community
  • 1
  • 1
Jakub Narębski
  • 309,089
  • 65
  • 217
  • 230
  • Thank you for your answer. I will most probably try git-http-backend. The problem with using hooks with Gitosis was that it did not set the name of the user who was logged in (it was always set to "git") – k21 Apr 19 '10 at 14:56
  • @koumes21: Gitosis (and Gitolite) does authentication based on SSH key used, so it has notion which user accessed repository ("logged in"), even if it uses 'git' shell account. Gitolite provides user that "logged in" in `GL_USER` environment variable; I don't know about Gitosis. – Jakub Narębski Apr 19 '10 at 16:35