Preventing Author Spoofing
Gregory Szorc
gregory.szorc at gmail.com
Thu Nov 27 00:56:07 UTC 2014
On 11/26/14 11:57 AM, Aaron Jensen wrote:
> What is the recommended solution for preventing author spoofing? Our security team is nervous that anyone could make a commit, but use someone else's name/e-mail address.
In addition to what Matt said, you can get extra forensics on the server
by deploying a custom extension.
Mozilla has a "pushlog" extension that sits on the SSH server and
records the username of the SSH-authenticated user, the date, and the
set of commits they are pushing. This effectively establishes an audit
trail of "who pushed what when." There is even an HTML view of the
"pushlog" data on hgweb and a JSON API for people to query.
The security model assumes that only a small group of trusted people
have the power to mutate the pushlog database on the server: there is no
mechanism to perform non-append operations on the pushlog via `hg push`.
Source is available at
https://hg.mozilla.org/hgcustom/version-control-tools/file/3ce8c80a613d/hgext/pushlog-legacy
You can find our custom SSH ForceCommand script at
https://hg.mozilla.org/hgcustom/version-control-tools/file/3ce8c80a613d/scripts/pash/pash.py.
This code is a bit hacky and I'm in the process of rewriting it. That's
why "legacy" appears in some of the URLs. But the concepts are sane. We
use it for Firefox. See https://hg.mozilla.org/mozilla-central/pushloghtml
More information about the Mercurial
mailing list