9

i'm the owner of a few corporate github repositories. Lately we have been suspicious of a developer who may be enlisting outsourced help through his borrowed github identity (many 4am commits in batches). Is there a way on github.com to determine the source IP address of the committer? On the traffic page i can infer this info based on teh number of unique clones, but this is not enough data for us to validate our concerns.

Cheers, Joe Anonymous

joe mediocrity
  • 109
  • 1
  • 1
  • 3
  • 10
    Joe Anonymous the champion of transparency. Very interesting. – SzG Nov 17 '14 at 22:26
  • 2
    SzG the champion of finding irony. Not interesting to this thread. Anonymity is important to avoid sleuthing individuals from catching on before legal proceedings. The alternative is to take security and plagiarism lightly. – joe mediocrity Nov 17 '14 at 22:31
  • 2
    Unfortunately, IP information is not captured by Git itself, and even if it was, the end user would likely have control over it--so it wouldn't be trustworthy. If you were using GitHub Enterprise, I think you'd have a few more options (such as the push log). It appears that at least some client side actions show the client IP. But I don't think the push log is available on GitHub proper. – John Szakmeister Nov 18 '14 at 00:49
  • Thanks jszakmeister, that's the answer i was looking for. Sincerely appreciated. I'll just have to find another way to prove/disprove my theory. HR concerns require evidence, not theories. – joe mediocrity Nov 18 '14 at 04:06

2 Answers2

12

If this "individual", if I'm quoting your corporatese right, lets his subcontractors commit themselves to the official repo in his name without further precautions, then he is an idiot and deserves to be fired.

In this case, you probably don't even need the committer's IP address. The commit itself contains some very useful data:

git cat-file -p <suspicious-commit-id>

Will show the entire commit object. It will contain two lines like this:

author Foo Bar <foo@bar.com> 1398017575 +0200
committer Foo Bar <foo@bar.com> 1398017575 +0200

As you can see there is timezone info following the Unix-epoch timestamps. If you're on the East Coast in the USA, you should see something like -0500. If the subcontractors are in India, you'll see +0630 or something like that.

The "individual" has probably more sense than that. So the subcontractors push to his repo, then he rewrites history and pushes to the official repo. In the latter case, good luck.

SzG
  • 12,333
  • 4
  • 28
  • 41
  • This command is quite good. It gives me the mentioned two lines information. I think another tool, gitk would give you details information about entire commits. Before that, you have to ensure that gitk is installed on your computer. – naf4me Feb 10 '16 at 04:39
  • Only issue here is that savvy tricksters will VPN to a reasonable location. Of course, IP will not help in this case either but still very good info. – Matt Hudson Jun 17 '21 at 14:28
2

The Security log might have enough info:

https://github.com/settings/security-log

enter image description here

KERR
  • 1,312
  • 18
  • 13