I've been playing about with the command line pushing commits into a repo. The repo is private and therefore I need to authenticate with either HTTPS or SSH - I get the same following behavior either way.
It appears, despite authenticating, that I can chose to commit using any identity I want simply by changing the user.email config setting. If I change it to a colleagues email address the commit appears to have been made by him.
Am I missing a repo setting that forces the commit to be under the authenticated user's identity? As it stands things appear to be pretty broken from an audit point of view.
That is how git works in principle. In Bitbucket Server you can enable the Verify Committer post-receive hook that verifies that the committer is the user pushing see Using repository hooks.
In addition, starting with Bitbucket Server 5.1 we offer GPG signed commits, giving you additional layer of authentication - see the Bitbucket Server 5.1 release notes for details.
Premier Support Engineer
Badges are a great way to show off community activity, whether you’re a newbie or a Champion.Learn more
After spinning my wheels trying to get organized enough to write a book for National Novel Writing Month (NaNoWriMo) I took my affinity for Atlassian products from my work life and decided to tr...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs