Displaying login usernames for GIT

Gerben van der Lubbe May 14, 2012

I've recently started using FishEye and Crucible in conjunction with git. The programmers have received a login username and password for an account I made them in the system, and they are able to work with it just fine. However, their usernames and e-mail addresses on their computer are set to something insignificant, and for some reason FishEye doesn't properly indicate who made the commit. In stead, it only shows this username and e-mail address.

How can I make it display the FishEye/Crucible login there, rather than whatever set on their computer. The latter concerns me security wise, as anybody will be capable of making changes under somebody else's name by simply changing the configuration settings.

Regards

1 answer

0 votes
Chii
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 14, 2012

If you are asking to have fisheye display the corresponding user to the committer, please follow http://confluence.atlassian.com/display/FISHEYE/Changing+your+User+Profile#ChangingyourUserProfile-AuthorMappingTab

Normally, this should work automatically, because the committer email address is used to match the email address of users of fisheye. However, if a user sets their git config incorrectly, or chooses to use a different email address in their git config than the one supplied for fisheye, then this will not match. The user will have to manually add a mapping between a committer and themselves, or have the administrator perform the user mapping in the admin console for each user.

Gerben van der Lubbe May 14, 2012

Dear Joe,

Thank you for your answer. I appreciate your input and I believe that you have answered my question to the best of your ability.

However, such behaviour for this software is absolutely unacceptable in my opinion. The programmers have been given a specific username and password that could be used to understand which user made what change. The requirement for them to set an e-mail address is not only unneccesary, but also gravely impacts both security and usability.

To explain the way that it impacts usability, imagine one of the programmers working from home. They can set up their git login details on their machine, but easily forget to update their e-mail address (which isn't forced on you, and thus should not be dependent on anyway). In that case I will be unable to see who made any of the changes, and I would simply have to guess. I would just have to hope the default display name/e-mail address was set up to good defaults to be able to understand.

But the security impact is even greater. The current design would allow users to make changes and make it look like they were made by somebody else! I personally wonder how many people as of yet have been fired because of doing something malicious with the source code, while they claimed it wasn't them. Given this knowledge, I believe them: another employee could easily have changed his e-mail address to the e-mail address of the other programmer and make some malicious changes to the code base. I can't even begin to imagine what consequences this may have some time in the future, or may have had, for some people.

It also invalidates the way you advertise the product. Your company has claimed that the software will "Show a profile of the user that made the change", which is of course false. Rather, it "Show[s] a profile of whoever the user that made the change claimed to be".

It is perhaps the most basic functionality one could expect of this software.

But this is all I can say in 2k characters.

Rega

seb
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 15, 2012

Hi Rega,

What you are describing is a requirement of Git, not FishEye. There is an important distinction between committer and author of changes in Git - you can read more about distributed workflows here: http://git-scm.com/book/en/Distributed-Git-Distributed-Workflows.

In order to achieve what you are looking for, you would need to setup a git commit hook to validate that the author of the changesets being pushed match the username for authentication.

Please remember, that FishEye is simply a magnifying glass into your repository and cannot change or enforce requirements that you have in your processes. It simply is a reflection of it's state at any point in time.

Gerben van der Lubbe May 15, 2012

Dear Seb and Joe,

Thanks for your answers. In my opinion that's still a terrible flaw, but not in the design of FishEye but in that of Git. While I understand those workflows, I believe that if nobody can be given a responsibility it should be that of the person allowing the changes in his repository, rather than being able to give the responsibility to whatever a person set his e-mail address to.

Is there any version control system supported by FishEye that does not suffer from the same flaw?

Edit: How would I go about checking the username used for authentication in the commit hook? I know how to update those scripts, but how do I get the used username?

Regards,

Gerben

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events