Preventing Author Spoofing

Gregory Szorc gregory.szorc at gmail.com
Thu Nov 27 00:56:07 UTC 2014


On 11/26/14 11:57 AM, Aaron Jensen wrote:
> What is the recommended solution for preventing author spoofing? Our security team is nervous that anyone could make a commit, but use someone else's name/e-mail address.

In addition to what Matt said, you can get extra forensics on the server 
by deploying a custom extension.

Mozilla has a "pushlog" extension that sits on the SSH server and 
records the username of the SSH-authenticated user, the date, and the 
set of commits they are pushing. This effectively establishes an audit 
trail of "who pushed what when." There is even an HTML view of the 
"pushlog" data on hgweb and a JSON API for people to query.

The security model assumes that only a small group of trusted people 
have the power to mutate the pushlog database on the server: there is no 
mechanism to perform non-append operations on the pushlog via `hg push`.

Source is available at 
https://hg.mozilla.org/hgcustom/version-control-tools/file/3ce8c80a613d/hgext/pushlog-legacy

You can find our custom SSH ForceCommand script at 
https://hg.mozilla.org/hgcustom/version-control-tools/file/3ce8c80a613d/scripts/pash/pash.py.

This code is a bit hacky and I'm in the process of rewriting it. That's 
why "legacy" appears in some of the URLs. But the concepts are sane. We 
use it for Firefox. See https://hg.mozilla.org/mozilla-central/pushloghtml



More information about the Mercurial mailing list