How to force git to use authentication as author

How to force git to use authentication as author

[J. Bakshi]

Hello,

I have setup a git repo which is protected with user authentication set by apache it self.

<Location /git>
AuthType Basic
# Message to give to the committer
AuthName "Write access requires a password"
# File listing users with write (commit) access
AuthUserFile /home/git/PASSWD
Require valid-user
</Location>

Now users are required to use their authentication as per /home/git/PASSWD file ( generated by htpasswd) . How can I force git to use the username as define at /home/git/PASSWD as the author name for git commit ?

Thanks

Re: How to force git to use authentication as author

[Ævar Arnfjörð Bjarmason]

On Thu, Jul 14, 2011 at 12:36, J. Bakshi <joydeep@infoservices.in> wrote:

> How can I force git to use the username as define at /home/git/PASSWD as the author name for git commit ?

Edit the global bashrc to have:

    export GIT_AUTHOR_NAME=$(cat ~/PASSWD)

?

Re: How to force git to use authentication as author

[J. Bakshi]

On Thu, 14 Jul 2011 12:38:59 +0200
Ævar Arnfjörð Bjarmason <avarab@gmail.com> wrote:

> On Thu, Jul 14, 2011 at 12:36, J. Bakshi <joydeep@infoservices.in> wrote:
> 
> > How can I force git to use the username as define at /home/git/PASSWD as the author name for git commit ?
> 
> Edit the global bashrc to have:
> 
>     export GIT_AUTHOR_NAME=$(cat ~/PASSWD)
> 
> ?

Thanks. 

[1] will it work with file generated by htpasswd ? as that file is actually created by same (/home/git/PASSWD)

[2] And the commit is over http, So is it effective to set the value by .bashrc ?

Re: How to force git to use authentication as author

[Carlos Martín Nieto]

On Thu, 2011-07-14 at 16:18 +0530, J. Bakshi wrote:
> On Thu, 14 Jul 2011 12:38:59 +0200
> Ævar Arnfjörð Bjarmason <avarab@gmail.com> wrote:
> 
> > On Thu, Jul 14, 2011 at 12:36, J. Bakshi <joydeep@infoservices.in>
> wrote:
> > 
> > > How can I force git to use the username as define
> at /home/git/PASSWD as the author name for git commit ?
> > 
> > Edit the global bashrc to have:
> > 
> >     export GIT_AUTHOR_NAME=$(cat ~/PASSWD)
> > 
> > ?
> 
> Thanks. 
> 
> [1] will it work with file generated by htpasswd ? as that file is
> actually created by same (/home/git/PASSWD)

Not directly, if it only has one line, then $(cat ~/PASSWD | cut -d ':'
-f 1) should work, but I haven't tested it.

> 
> [2] And the commit is over http, So is it effective to set the value
> by .bashrc ?

You are misunderstanding either how git works or the nomenclature. The
commits all happen locally and need no authentication whatsoever (and
usually you're expected to use a real name and email address). When you
need to authenticate is when yuou push your changes somewhere (a central
repo, for example). This is where the ~/.netrc file comes into play, as
I mentioned in the reply to your other mail.

Cheers,
   cmn

Re: How to force git to use authentication as author

[J. Bakshi]

On Thu, 14 Jul 2011 13:00:02 +0200
Carlos Martín Nieto <cmn@elego.de> wrote:

> On Thu, 2011-07-14 at 16:18 +0530, J. Bakshi wrote:
> > On Thu, 14 Jul 2011 12:38:59 +0200
> > Ævar Arnfjörð Bjarmason <avarab@gmail.com> wrote:
> > 
> > > On Thu, Jul 14, 2011 at 12:36, J. Bakshi <joydeep@infoservices.in>
> > wrote:
> > > 
> > > > How can I force git to use the username as define
> > at /home/git/PASSWD as the author name for git commit ?
> > > 
> > > Edit the global bashrc to have:
> > > 
> > >     export GIT_AUTHOR_NAME=$(cat ~/PASSWD)
> > > 
> > > ?
> > 
> > Thanks. 
> > 
> > [1] will it work with file generated by htpasswd ? as that file is
> > actually created by same (/home/git/PASSWD)
> 
> Not directly, if it only has one line, then $(cat ~/PASSWD | cut -d ':'
> -f 1) should work, but I haven't tested it.
> 
> > 
> > [2] And the commit is over http, So is it effective to set the value
> > by .bashrc ?
> 
> You are misunderstanding either how git works or the nomenclature. The
> commits all happen locally and need no authentication whatsoever (and
> usually you're expected to use a real name and email address). When you
> need to authenticate is when yuou push your changes somewhere (a central
> repo, for example). This is where the ~/.netrc file comes into play, as
> I mentioned in the reply to your other mail.
> 
Exactly, when we need to push we are asked about authentication. I like to configure the central git server in a way so that the user-name as in authentication, be set as author name by the git server itself. actually it is how I configured svn server over http. So comparing to that I am trying to achieve the same. Say your user-name is there at htpasswd file as Carlos, so when you authenticate by Carlos to push , the author-name will automatically become as Carlos. No way to customize that with specific username. That's the idea.

Thanks

Re: How to force git to use authentication as author

[Carlos Martín Nieto]

[-- Attachment #1: Type: text/plain, Size: 3415 bytes --]

On Thu, 2011-07-14 at 16:45 +0530, J. Bakshi wrote:
> On Thu, 14 Jul 2011 13:00:02 +0200
> Carlos Martín Nieto <cmn@elego.de> wrote:
> 
> > On Thu, 2011-07-14 at 16:18 +0530, J. Bakshi wrote:
> > > On Thu, 14 Jul 2011 12:38:59 +0200
> > > Ævar Arnfjörð Bjarmason <avarab@gmail.com> wrote:
> > > 
> > > > On Thu, Jul 14, 2011 at 12:36, J. Bakshi <joydeep@infoservices.in>
> > > wrote:
> > > > 
> > > > > How can I force git to use the username as define
> > > at /home/git/PASSWD as the author name for git commit ?
> > > > 
> > > > Edit the global bashrc to have:
> > > > 
> > > >     export GIT_AUTHOR_NAME=$(cat ~/PASSWD)
> > > > 
> > > > ?
> > > 
> > > Thanks. 
> > > 
> > > [1] will it work with file generated by htpasswd ? as that file is
> > > actually created by same (/home/git/PASSWD)
> > 
> > Not directly, if it only has one line, then $(cat ~/PASSWD | cut -d ':'
> > -f 1) should work, but I haven't tested it.
> > 
> > > 
> > > [2] And the commit is over http, So is it effective to set the value
> > > by .bashrc ?
> > 
> > You are misunderstanding either how git works or the nomenclature. The
> > commits all happen locally and need no authentication whatsoever (and
> > usually you're expected to use a real name and email address). When you
> > need to authenticate is when yuou push your changes somewhere (a central
> > repo, for example). This is where the ~/.netrc file comes into play, as
> > I mentioned in the reply to your other mail.
> > 
> Exactly, when we need to push we are asked about authentication. I
> like to configure the central git server in a way so that the
> user-name as in authentication, be set as author name by the git
> server itself. actually it is how I configured svn server over http.
> So comparing to that I am trying to achieve the same. Say your
> user-name is there at htpasswd file as Carlos, so when you
> authenticate by Carlos to push , the author-name will automatically
> become as Carlos. No way to customize that with specific username.
> That's the idea.

That's not how it works. It may even be possible to rewrite the commits
in the post-receive hook in a way that most stuff doesn't break
horribly, this would be rewriting history behind the users' backs, and
that only brings problems.

The way to set the author name and mail in a standard way, be it
user-wide or per-repo. You can write up some simple instructions on how
to do it.

    git config user.name "Max Smith"
    git config user.mail max.smith@example.com

and if the config should be valid for every repo, use --global flag.
There is more information in the manual page.

You could then add a check in the post-receive hook to reject pushes
with invalid author names, if you feel it's worth it.

Taking a step back, why is this even an issue, though? If you don't
trust your developers to set their name and email correctly, why do you
trust them to write code? If it's company policy for people to be
referred to by their usernames rather than their given names, why not
tell them to set it to that[0]? It seems like you are trying to solve a
social issue with a technological measure that works at a different
level.

[0] and given that they're probably using their company email address,
it wouldn't be a problem to get a unique ID for each developer if that's
what you need.

Cheers,
   cmn

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: How to force git to use authentication as author

[J. Bakshi]

On Thu, 14 Jul 2011 16:45:47 +0530
"J. Bakshi" <joydeep@infoservices.in> wrote:

> On Thu, 14 Jul 2011 13:00:02 +0200
> Carlos Martín Nieto <cmn@elego.de> wrote:
> 
> > On Thu, 2011-07-14 at 16:18 +0530, J. Bakshi wrote:
> > > On Thu, 14 Jul 2011 12:38:59 +0200
> > > Ævar Arnfjörð Bjarmason <avarab@gmail.com> wrote:
> > > 
> > > > On Thu, Jul 14, 2011 at 12:36, J. Bakshi <joydeep@infoservices.in>
> > > wrote:
> > > > 
> > > > > How can I force git to use the username as define
> > > at /home/git/PASSWD as the author name for git commit ?
> > > > 
> > > > Edit the global bashrc to have:
> > > > 
> > > >     export GIT_AUTHOR_NAME=$(cat ~/PASSWD)
> > > > 
> > > > ?
> > > 
> > > Thanks. 
> > > 
> > > [1] will it work with file generated by htpasswd ? as that file is
> > > actually created by same (/home/git/PASSWD)
> > 
> > Not directly, if it only has one line, then $(cat ~/PASSWD | cut -d ':'
> > -f 1) should work, but I haven't tested it.
> > 
> > > 
> > > [2] And the commit is over http, So is it effective to set the value
> > > by .bashrc ?
> > 
> > You are misunderstanding either how git works or the nomenclature. The
> > commits all happen locally and need no authentication whatsoever (and
> > usually you're expected to use a real name and email address). When you
> > need to authenticate is when yuou push your changes somewhere (a central
> > repo, for example). This is where the ~/.netrc file comes into play, as
> > I mentioned in the reply to your other mail.
> > 
> Exactly, when we need to push we are asked about authentication. I like to configure the central git server in a way so that the user-name as in authentication, be set as author name by the git server itself. actually it is how I configured svn server over http. So comparing to that I am trying to achieve the same. Say your user-name is there at htpasswd file as Carlos, so when you authenticate by Carlos to push , the author-name will automatically become as Carlos. No way to customize that with specific username. That's the idea.
> 
> Thanks
> 

Following the link below, it seems not possible right now

http://permalink.gmane.org/gmane.comp.version-control.git/171444

Re: How to force git to use authentication as author

[Erik Faye-Lund]

On Thu, Jul 14, 2011 at 1:15 PM, J. Bakshi <joydeep@infoservices.in> wrote:
> On Thu, 14 Jul 2011 13:00:02 +0200 Carlos Martín Nieto <cmn@elego.de> wrote:
>> You are misunderstanding either how git works or the nomenclature. The
>> commits all happen locally and need no authentication whatsoever (and
>> usually you're expected to use a real name and email address). When you
>> need to authenticate is when yuou push your changes somewhere (a central
>> repo, for example). This is where the ~/.netrc file comes into play, as
>> I mentioned in the reply to your other mail.
>>
> Exactly, when we need to push we are asked about authentication.

In Git (as you probably know), authentication is not the same as
authorship. Because of the distributed nature of Git, a certain change
can reach the repo without going through a central repo (e.g by
mailing, pushing to a third-party repo etc).

So to be friendly to different work-flows while retaining authorship,
authorship (both of the change itself and of the commit object) needed
to be decoupled from authentication.

> I like to configure the central git server in a way so that the user-name as in authentication, be set as author name by the git server itself.

There's no way you can setup this from the server-side. Commits are
created without communication with the server, again due to the
distributed nature of Git.

The only thing you can do at the server-side (and it quickly gets
ugly), is to try to validate the pushed commits through a hook. You
could probably verify that the authorship is the same as the
authentication, but this breaks distributed work-flows. A slightly
better approach would be to verify the commiter (as opposed to the
patch-author), as this allows for e-mailed patches to retain the
original authorship. But it still breaks work-flows that use bundles
or pushing between different repos (and probably more), so it's not
exactly elegant.

So let's step back a little bit. Why do you want the author to be
identical to the authenticated user in the first place? Is it to be
able to *prove* (i.e not trust the users that push) who wrote what
code? If so, let's me first tell you that giving someone push-access
while not trusting them is a bit crazy. But if you're happy with being
a bit crazy, you'd might want to somehow cryptographically sign the
commits instead. I'd go for PGP-signing the patch-id, and putting that
in a git-note.

> actually it is how I configured svn server over http. So comparing to that I am trying to achieve the same. Say your user-name is there at htpasswd file as Carlos, so when you authenticate by Carlos to push , the author-name will automatically become as Carlos. No way to customize that with specific username. That's the idea.

Being the same as in SVN is not a good thing in itself. I've
personally had lots of pain when moving SVN servers, because users are
a server-local thing (so the repository needs to be rewritten or
whatnot). And I'm not even an SVN "power-user". The beauty about
having the name + e-mail pair in Git is that the commits do not change
no matter what. The history stays the same, you just change the
authentication.

Re: How to force git to use authentication as author

[Erik Faye-Lund]

On Thu, Jul 14, 2011 at 1:38 PM, Carlos Martín Nieto <cmn@elego.de> wrote:
> On Thu, 2011-07-14 at 16:45 +0530, J. Bakshi wrote:
>> On Thu, 14 Jul 2011 13:00:02 +0200
>> Carlos Martín Nieto <cmn@elego.de> wrote:
>>
>> > On Thu, 2011-07-14 at 16:18 +0530, J. Bakshi wrote:
>> > > On Thu, 14 Jul 2011 12:38:59 +0200
>> > > Ævar Arnfjörð Bjarmason <avarab@gmail.com> wrote:
>> > >
>> > > > On Thu, Jul 14, 2011 at 12:36, J. Bakshi <joydeep@infoservices.in>
>> > > wrote:
>> > > >
>> > > > > How can I force git to use the username as define
>> > > at /home/git/PASSWD as the author name for git commit ?
>> > > >
>> > > > Edit the global bashrc to have:
>> > > >
>> > > >     export GIT_AUTHOR_NAME=$(cat ~/PASSWD)
>> > > >
>> > > > ?
>> > >
>> > > Thanks.
>> > >
>> > > [1] will it work with file generated by htpasswd ? as that file is
>> > > actually created by same (/home/git/PASSWD)
>> >
>> > Not directly, if it only has one line, then $(cat ~/PASSWD | cut -d ':'
>> > -f 1) should work, but I haven't tested it.
>> >
>> > >
>> > > [2] And the commit is over http, So is it effective to set the value
>> > > by .bashrc ?
>> >
>> > You are misunderstanding either how git works or the nomenclature. The
>> > commits all happen locally and need no authentication whatsoever (and
>> > usually you're expected to use a real name and email address). When you
>> > need to authenticate is when yuou push your changes somewhere (a central
>> > repo, for example). This is where the ~/.netrc file comes into play, as
>> > I mentioned in the reply to your other mail.
>> >
>> Exactly, when we need to push we are asked about authentication. I
>> like to configure the central git server in a way so that the
>> user-name as in authentication, be set as author name by the git
>> server itself. actually it is how I configured svn server over http.
>> So comparing to that I am trying to achieve the same. Say your
>> user-name is there at htpasswd file as Carlos, so when you
>> authenticate by Carlos to push , the author-name will automatically
>> become as Carlos. No way to customize that with specific username.
>> That's the idea.
>
> That's not how it works. It may even be possible to rewrite the commits
> in the post-receive hook in a way that most stuff doesn't break
> horribly, this would be rewriting history behind the users' backs, and
> that only brings problems.

This will (as you point out) only lead to problems, because rewriting
the history at commit-time will have the effect that a push leaves you
in the situation where you end up with a different history on the
workstation and the server. All branches off the pushed branch will
become a hell, and a clusterfck of darkness and terror will take over.

> The way to set the author name and mail in a standard way, be it
> user-wide or per-repo. You can write up some simple instructions on how
> to do it.
>
>    git config user.name "Max Smith"
>    git config user.mail max.smith@example.com
>
> and if the config should be valid for every repo, use --global flag.
> There is more information in the manual page.
>
> You could then add a check in the post-receive hook to reject pushes
> with invalid author names, if you feel it's worth it.
>

Denying a push is much more elegant than rewriting, but (as I pointed
out in my other mail) also has a lot of problems with distributed
work-flows. And let's face it when changing from SVN to Git, the
distributed nature is about the last feature that you'd want to give
up ;)

> Taking a step back, why is this even an issue, though? If you don't
> trust your developers to set their name and email correctly, why do you
> trust them to write code? If it's company policy for people to be
> referred to by their usernames rather than their given names, why not
> tell them to set it to that[0]? It seems like you are trying to solve a
> social issue with a technological measure that works at a different
> level.

Very well said, I completely agree!

Re: How to force git to use authentication as author

[J. Bakshi]

On Thu, 14 Jul 2011 13:38:02 +0200
Carlos Martín Nieto <cmn@elego.de> wrote:

> On Thu, 2011-07-14 at 16:45 +0530, J. Bakshi wrote:
> > On Thu, 14 Jul 2011 13:00:02 +0200
> > Carlos Martín Nieto <cmn@elego.de> wrote:
> > 
> > > On Thu, 2011-07-14 at 16:18 +0530, J. Bakshi wrote:
> > > > On Thu, 14 Jul 2011 12:38:59 +0200
> > > > Ævar Arnfjörð Bjarmason <avarab@gmail.com> wrote:
> > > > 
> > > > > On Thu, Jul 14, 2011 at 12:36, J. Bakshi <joydeep@infoservices.in>
> > > > wrote:
> > > > > 
> > > > > > How can I force git to use the username as define
> > > > at /home/git/PASSWD as the author name for git commit ?
> > > > > 
> > > > > Edit the global bashrc to have:
> > > > > 
> > > > >     export GIT_AUTHOR_NAME=$(cat ~/PASSWD)
> > > > > 
> > > > > ?
> > > > 
> > > > Thanks. 
> > > > 
> > > > [1] will it work with file generated by htpasswd ? as that file is
> > > > actually created by same (/home/git/PASSWD)
> > > 
> > > Not directly, if it only has one line, then $(cat ~/PASSWD | cut -d ':'
> > > -f 1) should work, but I haven't tested it.
> > > 
> > > > 
> > > > [2] And the commit is over http, So is it effective to set the value
> > > > by .bashrc ?
> > > 
> > > You are misunderstanding either how git works or the nomenclature. The
> > > commits all happen locally and need no authentication whatsoever (and
> > > usually you're expected to use a real name and email address). When you
> > > need to authenticate is when yuou push your changes somewhere (a central
> > > repo, for example). This is where the ~/.netrc file comes into play, as
> > > I mentioned in the reply to your other mail.
> > > 
> > Exactly, when we need to push we are asked about authentication. I
> > like to configure the central git server in a way so that the
> > user-name as in authentication, be set as author name by the git
> > server itself. actually it is how I configured svn server over http.
> > So comparing to that I am trying to achieve the same. Say your
> > user-name is there at htpasswd file as Carlos, so when you
> > authenticate by Carlos to push , the author-name will automatically
> > become as Carlos. No way to customize that with specific username.
> > That's the idea.
> 
> That's not how it works. It may even be possible to rewrite the commits
> in the post-receive hook in a way that most stuff doesn't break
> horribly, this would be rewriting history behind the users' backs, and
> that only brings problems.
> 
> The way to set the author name and mail in a standard way, be it
> user-wide or per-repo. You can write up some simple instructions on how
> to do it.
> 
>     git config user.name "Max Smith"
>     git config user.mail max.smith@example.com
> 
> and if the config should be valid for every repo, use --global flag.
> There is more information in the manual page.
> 
> You could then add a check in the post-receive hook to reject pushes
> with invalid author names, if you feel it's worth it.
> 
> Taking a step back, why is this even an issue, though? If you don't
> trust your developers to set their name and email correctly, why do you
> trust them to write code? If it's company policy for people to be
> referred to by their usernames rather than their given names, why not
> tell them to set it to that[0]? It seems like you are trying to solve a
> social issue with a technological measure that works at a different
> level.
> 

Certainly not an issue at all. As I have mentioned before it is how the svn repo is working here. 
So we are trying to follow the same with git too. Without effecting too much of the already running
environment, so that the users need not bother too much with git. But as I have found it is not possible right now

http://permalink.gmane.org/gmane.comp.version-control.git/171444

Re: How to force git to use authentication as author

[Ferry Huberts]

On 07/14/2011 02:01 PM, J. Bakshi wrote:
> On Thu, 14 Jul 2011 13:38:02 +0200
> Carlos Martín Nieto <cmn@elego.de> wrote:
> 
>> On Thu, 2011-07-14 at 16:45 +0530, J. Bakshi wrote:
>>> On Thu, 14 Jul 2011 13:00:02 +0200
>>> Carlos Martín Nieto <cmn@elego.de> wrote:
>>>
>>>> On Thu, 2011-07-14 at 16:18 +0530, J. Bakshi wrote:
>>>>> On Thu, 14 Jul 2011 12:38:59 +0200
>>>>> Ævar Arnfjörð Bjarmason <avarab@gmail.com> wrote:
>>>>>
>>>>>> On Thu, Jul 14, 2011 at 12:36, J. Bakshi <joydeep@infoservices.in>
>>>>> wrote:
>>>>>>
>>>>>>> How can I force git to use the username as define
>>>>> at /home/git/PASSWD as the author name for git commit ?
>>>>>>
>>>>>> Edit the global bashrc to have:
>>>>>>
>>>>>>     export GIT_AUTHOR_NAME=$(cat ~/PASSWD)
>>>>>>
>>>>>> ?
>>>>>
>>>>> Thanks. 
>>>>>
>>>>> [1] will it work with file generated by htpasswd ? as that file is
>>>>> actually created by same (/home/git/PASSWD)
>>>>
>>>> Not directly, if it only has one line, then $(cat ~/PASSWD | cut -d ':'
>>>> -f 1) should work, but I haven't tested it.
>>>>
>>>>>
>>>>> [2] And the commit is over http, So is it effective to set the value
>>>>> by .bashrc ?
>>>>
>>>> You are misunderstanding either how git works or the nomenclature. The
>>>> commits all happen locally and need no authentication whatsoever (and
>>>> usually you're expected to use a real name and email address). When you
>>>> need to authenticate is when yuou push your changes somewhere (a central
>>>> repo, for example). This is where the ~/.netrc file comes into play, as
>>>> I mentioned in the reply to your other mail.
>>>>
>>> Exactly, when we need to push we are asked about authentication. I
>>> like to configure the central git server in a way so that the
>>> user-name as in authentication, be set as author name by the git
>>> server itself. actually it is how I configured svn server over http.
>>> So comparing to that I am trying to achieve the same. Say your
>>> user-name is there at htpasswd file as Carlos, so when you
>>> authenticate by Carlos to push , the author-name will automatically
>>> become as Carlos. No way to customize that with specific username.
>>> That's the idea.
>>
>> That's not how it works. It may even be possible to rewrite the commits
>> in the post-receive hook in a way that most stuff doesn't break
>> horribly, this would be rewriting history behind the users' backs, and
>> that only brings problems.
>>
>> The way to set the author name and mail in a standard way, be it
>> user-wide or per-repo. You can write up some simple instructions on how
>> to do it.
>>
>>     git config user.name "Max Smith"
>>     git config user.mail max.smith@example.com
>>
>> and if the config should be valid for every repo, use --global flag.
>> There is more information in the manual page.
>>
>> You could then add a check in the post-receive hook to reject pushes
>> with invalid author names, if you feel it's worth it.
>>
>> Taking a step back, why is this even an issue, though? If you don't
>> trust your developers to set their name and email correctly, why do you
>> trust them to write code? If it's company policy for people to be
>> referred to by their usernames rather than their given names, why not
>> tell them to set it to that[0]? It seems like you are trying to solve a
>> social issue with a technological measure that works at a different
>> level.
>>
> 
> Certainly not an issue at all. As I have mentioned before it is how the svn repo is working here. 
> So we are trying to follow the same with git too. Without effecting too much of the already running
> environment, so that the users need not bother too much with git. But as I have found it is not possible right now
> 

As Erik said:

> This will (as you point out) only lead to problems, because rewriting
> the history at commit-time will have the effect that a push leaves you
> in the situation where you end up with a different history on the
> workstation and the server. All branches off the pushed branch will
> become a hell, and a clusterfck of darkness and terror will take over.

SVN and Git are _totally_ different models. Do not try to force Git into
the svn model, it'll just give you __major__ headaches.

OTOH: It'll teach your users all the advanced uses of Git very rapidly. LOL

> http://permalink.gmane.org/gmane.comp.version-control.git/171444
> --
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


-- 
Ferry Huberts

Re: How to force git to use authentication as author

[J. Bakshi]

On Thu, 14 Jul 2011 14:00:06 +0200
Erik Faye-Lund <kusmabite@gmail.com> wrote:

> On Thu, Jul 14, 2011 at 1:38 PM, Carlos Martín Nieto <cmn@elego.de> wrote:
> > On Thu, 2011-07-14 at 16:45 +0530, J. Bakshi wrote:
> >> On Thu, 14 Jul 2011 13:00:02 +0200
> >> Carlos Martín Nieto <cmn@elego.de> wrote:
> >>
> >> > On Thu, 2011-07-14 at 16:18 +0530, J. Bakshi wrote:
> >> > > On Thu, 14 Jul 2011 12:38:59 +0200
> >> > > Ævar Arnfjörð Bjarmason <avarab@gmail.com> wrote:
> >> > >
> >> > > > On Thu, Jul 14, 2011 at 12:36, J. Bakshi <joydeep@infoservices.in>
> >> > > wrote:
> >> > > >
> >> > > > > How can I force git to use the username as define
> >> > > at /home/git/PASSWD as the author name for git commit ?
> >> > > >
> >> > > > Edit the global bashrc to have:
> >> > > >
> >> > > >     export GIT_AUTHOR_NAME=$(cat ~/PASSWD)
> >> > > >
> >> > > > ?
> >> > >
> >> > > Thanks.
> >> > >
> >> > > [1] will it work with file generated by htpasswd ? as that file is
> >> > > actually created by same (/home/git/PASSWD)
> >> >
> >> > Not directly, if it only has one line, then $(cat ~/PASSWD | cut -d ':'
> >> > -f 1) should work, but I haven't tested it.
> >> >
> >> > >
> >> > > [2] And the commit is over http, So is it effective to set the value
> >> > > by .bashrc ?
> >> >
> >> > You are misunderstanding either how git works or the nomenclature. The
> >> > commits all happen locally and need no authentication whatsoever (and
> >> > usually you're expected to use a real name and email address). When you
> >> > need to authenticate is when yuou push your changes somewhere (a central
> >> > repo, for example). This is where the ~/.netrc file comes into play, as
> >> > I mentioned in the reply to your other mail.
> >> >
> >> Exactly, when we need to push we are asked about authentication. I
> >> like to configure the central git server in a way so that the
> >> user-name as in authentication, be set as author name by the git
> >> server itself. actually it is how I configured svn server over http.
> >> So comparing to that I am trying to achieve the same. Say your
> >> user-name is there at htpasswd file as Carlos, so when you
> >> authenticate by Carlos to push , the author-name will automatically
> >> become as Carlos. No way to customize that with specific username.
> >> That's the idea.
> >
> > That's not how it works. It may even be possible to rewrite the commits
> > in the post-receive hook in a way that most stuff doesn't break
> > horribly, this would be rewriting history behind the users' backs, and
> > that only brings problems.
> 
> This will (as you point out) only lead to problems, because rewriting
> the history at commit-time will have the effect that a push leaves you
> in the situation where you end up with a different history on the
> workstation and the server. All branches off the pushed branch will
> become a hell, and a clusterfck of darkness and terror will take over.
> 
> > The way to set the author name and mail in a standard way, be it
> > user-wide or per-repo. You can write up some simple instructions on how
> > to do it.
> >
> >    git config user.name "Max Smith"
> >    git config user.mail max.smith@example.com
> >
> > and if the config should be valid for every repo, use --global flag.
> > There is more information in the manual page.
> >
> > You could then add a check in the post-receive hook to reject pushes
> > with invalid author names, if you feel it's worth it.
> >
> 
> Denying a push is much more elegant than rewriting, but (as I pointed
> out in my other mail) also has a lot of problems with distributed
> work-flows. And let's face it when changing from SVN to Git, the
> distributed nature is about the last feature that you'd want to give
> up ;)
> 
> > Taking a step back, why is this even an issue, though? If you don't
> > trust your developers to set their name and email correctly, why do you
> > trust them to write code? If it's company policy for people to be
> > referred to by their usernames rather than their given names, why not
> > tell them to set it to that[0]? It seems like you are trying to solve a
> > social issue with a technological measure that works at a different
> > level.
> 
> Very well said, I completely agree!

As I mentioned already in my previous mail, it is not an issue but we presently use it with svn in a positive way.
Say 5 designer are working with same template, but in different section. So it is very easy to understand who is working on what
and also these 5 designers can see/review the codes among them and how previous code effect their work. So this features are exploited here with that positive
direction. 

Re: How to force git to use authentication as author

[Carlos Martín Nieto]

[-- Attachment #1: Type: text/plain, Size: 5796 bytes --]

On Thu, 2011-07-14 at 17:49 +0530, J. Bakshi wrote:
> On Thu, 14 Jul 2011 14:00:06 +0200
> Erik Faye-Lund <kusmabite@gmail.com> wrote:
> 
> > On Thu, Jul 14, 2011 at 1:38 PM, Carlos Martín Nieto <cmn@elego.de> wrote:
> > > On Thu, 2011-07-14 at 16:45 +0530, J. Bakshi wrote:
> > >> On Thu, 14 Jul 2011 13:00:02 +0200
> > >> Carlos Martín Nieto <cmn@elego.de> wrote:
> > >>
> > >> > On Thu, 2011-07-14 at 16:18 +0530, J. Bakshi wrote:
> > >> > > On Thu, 14 Jul 2011 12:38:59 +0200
> > >> > > Ævar Arnfjörð Bjarmason <avarab@gmail.com> wrote:
> > >> > >
> > >> > > > On Thu, Jul 14, 2011 at 12:36, J. Bakshi <joydeep@infoservices.in>
> > >> > > wrote:
> > >> > > >
> > >> > > > > How can I force git to use the username as define
> > >> > > at /home/git/PASSWD as the author name for git commit ?
> > >> > > >
> > >> > > > Edit the global bashrc to have:
> > >> > > >
> > >> > > >     export GIT_AUTHOR_NAME=$(cat ~/PASSWD)
> > >> > > >
> > >> > > > ?
> > >> > >
> > >> > > Thanks.
> > >> > >
> > >> > > [1] will it work with file generated by htpasswd ? as that file is
> > >> > > actually created by same (/home/git/PASSWD)
> > >> >
> > >> > Not directly, if it only has one line, then $(cat ~/PASSWD | cut -d ':'
> > >> > -f 1) should work, but I haven't tested it.
> > >> >
> > >> > >
> > >> > > [2] And the commit is over http, So is it effective to set the value
> > >> > > by .bashrc ?
> > >> >
> > >> > You are misunderstanding either how git works or the nomenclature. The
> > >> > commits all happen locally and need no authentication whatsoever (and
> > >> > usually you're expected to use a real name and email address). When you
> > >> > need to authenticate is when yuou push your changes somewhere (a central
> > >> > repo, for example). This is where the ~/.netrc file comes into play, as
> > >> > I mentioned in the reply to your other mail.
> > >> >
> > >> Exactly, when we need to push we are asked about authentication. I
> > >> like to configure the central git server in a way so that the
> > >> user-name as in authentication, be set as author name by the git
> > >> server itself. actually it is how I configured svn server over http.
> > >> So comparing to that I am trying to achieve the same. Say your
> > >> user-name is there at htpasswd file as Carlos, so when you
> > >> authenticate by Carlos to push , the author-name will automatically
> > >> become as Carlos. No way to customize that with specific username.
> > >> That's the idea.
> > >
> > > That's not how it works. It may even be possible to rewrite the commits
> > > in the post-receive hook in a way that most stuff doesn't break
> > > horribly, this would be rewriting history behind the users' backs, and
> > > that only brings problems.
> > 
> > This will (as you point out) only lead to problems, because rewriting
> > the history at commit-time will have the effect that a push leaves you
> > in the situation where you end up with a different history on the
> > workstation and the server. All branches off the pushed branch will
> > become a hell, and a clusterfck of darkness and terror will take over.
> > 
> > > The way to set the author name and mail in a standard way, be it
> > > user-wide or per-repo. You can write up some simple instructions on how
> > > to do it.
> > >
> > >    git config user.name "Max Smith"
> > >    git config user.mail max.smith@example.com
> > >
> > > and if the config should be valid for every repo, use --global flag.
> > > There is more information in the manual page.
> > >
> > > You could then add a check in the post-receive hook to reject pushes
> > > with invalid author names, if you feel it's worth it.
> > >
> > 
> > Denying a push is much more elegant than rewriting, but (as I pointed
> > out in my other mail) also has a lot of problems with distributed
> > work-flows. And let's face it when changing from SVN to Git, the
> > distributed nature is about the last feature that you'd want to give
> > up ;)
> > 
> > > Taking a step back, why is this even an issue, though? If you don't
> > > trust your developers to set their name and email correctly, why do you
> > > trust them to write code? If it's company policy for people to be
> > > referred to by their usernames rather than their given names, why not
> > > tell them to set it to that[0]? It seems like you are trying to solve a
> > > social issue with a technological measure that works at a different
> > > level.
> > 
> > Very well said, I completely agree!
> 
> As I mentioned already in my previous mail, it is not an issue but we
> presently use it with svn in a positive way.
> Say 5 designer are working with same template, but in different
> section. So it is very easy to understand who is working on what
> and also these 5 designers can see/review the codes among them and how
> previous code effect their work. So this features are exploited here
> with that positive
> direction. 
> 

I don't see how using people's real name is any less clear about who
they are. Alternatively, you can use their email addresses to tell them
apart.

With git, you can fetch the changes from either a central repository or
a particular developer's/designer's repo and see what they are changing
without affecting your local copy. Say you fetch from developer B's repo
and you want to see what the differences are, you just do

    git diff B/some-branch

or if you want to see if the changes would merge cleanly, you create a
(local) branch and try to merge there. Or you can do it on your dev
branch and roll-back if it doesn't work.

How does your current workflow depend on usernames? From what you
describe, the above would work just as well.

Cheers,
   cmn

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: How to force git to use authentication as author

[Jakub Narebski]

Carlos Martín Nieto <cmn@elego.de> writes:

> That's not how it works. It may even be possible to rewrite the commits
> in the post-receive hook in a way that most stuff doesn't break
> horribly, this would be rewriting history behind the users' backs, and
> that only brings problems.

What you can do is forbid push.  I think update-paranoid and gitolite
have some examples on how to do that.
 
> The way to set the author name and mail in a standard way, be it
> user-wide or per-repo. You can write up some simple instructions on how
> to do it.
> 
>     git config user.name "Max Smith"
>     git config user.mail max.smith@example.com
> 
> and if the config should be valid for every repo, use --global flag.
> There is more information in the manual page.
> 
> You could then add a check in the post-receive hook to reject pushes
> with invalid author names, if you feel it's worth it.
> 
> Taking a step back, why is this even an issue, though? If you don't
> trust your developers to set their name and email correctly, why do you
> trust them to write code? If it's company policy for people to be
> referred to by their usernames rather than their given names, why not
> tell them to set it to that[0]? It seems like you are trying to solve a
> social issue with a technological measure that works at a different
> level.
> 
> [0] and given that they're probably using their company email address,
> it wouldn't be a problem to get a unique ID for each developer if that's
> what you need.

Note that there is also .mailmap mechanism (see the documentation)
which can translate on the fly between public emails and internal
company emails, and which can fix invalid names... at least got
git-log, git-blame etc.

-- 
Jakub Narębski

Re: How to force git to use authentication as author

[Jonathan Nieder]

Hi,

Erik Faye-Lund wrote:

> So let's step back a little bit. Why do you want the author to be
> identical to the authenticated user in the first place? Is it to be
> able to *prove* (i.e not trust the users that push) who wrote what
> code? If so, let's me first tell you that giving someone push-access
> while not trusting them is a bit crazy. But if you're happy with being
> a bit crazy, you'd might want to somehow cryptographically sign the
> commits instead. I'd go for PGP-signing the patch-id, and putting that
> in a git-note.

Let's suppose you want to be able to decide who was to blame for the
latest breakage, not on a per-commit level but on a per-push level.
Then that seems quite doable to me through simpler means, on the
server side.  See

 http://sitaramc.github.com/gitolite/doc/3-faq-tips-etc.html#_better_logging

Hope that helps.
Jonathan