How to check an authenticity of a changeset?
Michael Smith
michael.smith at thalesatm.com
Wed Nov 12 21:26:13 UTC 2008
Chuck Kirschman wrote:
> Michael Smith wrote:
>
>> Maxim Vuets wrote:
>>
>>> On 11/11/08, Michael Smith <michael.smith at thalesatm.com> wrote:
>>>
>>>
>>>>> So I need some way to check an authenticity of a changeset.
>>>>> Because anyone who has push-access to a repo can
>>>>> impersonates another person.
>>>>>
>>>>> This issue is not actual for CVCS as I understand.
>>>>>
>>>>>
>>>> In a centralized system developer-1st could do -u 'developer-2nd' as well.
>>>>
>>>>
>>> Usually CVCS uses an user authentication. Thus you can commit
>>> something only after confirmation of your person (via login/password
>>> in most cases).
>>>
>>>
>> Yes but there is nothing to stop me patching the client to change the
>> recorded user name or directly editing the revision history to show
>> whatever I want.
>>
>
> This is definitely not true if you use Active Directory authentication,
> which is available in cvsNT. Unless you know the other person's
> password, you can not impersonate them. I don't see any way to extend
> this concept to a DVCS though. You can create any sort of user on your
> local box.
>
So you can't just edit a file in $CVSROOT with a generic editor?
--
*Michael Smith*
More information about the Mercurial
mailing list