Displaying login usernames for GIT

I've recently started using FishEye and Crucible in conjunction with git. The programmers have received a login username and password for an account I made them in the system, and they are able to work with it just fine. However, their usernames and e-mail addresses on their computer are set to something insignificant, and for some reason FishEye doesn't properly indicate who made the commit. In stead, it only shows this username and e-mail address.

How can I make it display the FishEye/Crucible login there, rather than whatever set on their computer. The latter concerns me security wise, as anybody will be capable of making changes under somebody else's name by simply changing the configuration settings.

Regards

1 answer

0 vote
Joe Xie Atlassian Team May 14, 2012

If you are asking to have fisheye display the corresponding user to the committer, please follow http://confluence.atlassian.com/display/FISHEYE/Changing+your+User+Profile#ChangingyourUserProfile-AuthorMappingTab

Normally, this should work automatically, because the committer email address is used to match the email address of users of fisheye. However, if a user sets their git config incorrectly, or chooses to use a different email address in their git config than the one supplied for fisheye, then this will not match. The user will have to manually add a mapping between a committer and themselves, or have the administrator perform the user mapping in the admin console for each user.

Dear Joe,

Thank you for your answer. I appreciate your input and I believe that you have answered my question to the best of your ability.

However, such behaviour for this software is absolutely unacceptable in my opinion. The programmers have been given a specific username and password that could be used to understand which user made what change. The requirement for them to set an e-mail address is not only unneccesary, but also gravely impacts both security and usability.

To explain the way that it impacts usability, imagine one of the programmers working from home. They can set up their git login details on their machine, but easily forget to update their e-mail address (which isn't forced on you, and thus should not be dependent on anyway). In that case I will be unable to see who made any of the changes, and I would simply have to guess. I would just have to hope the default display name/e-mail address was set up to good defaults to be able to understand.

But the security impact is even greater. The current design would allow users to make changes and make it look like they were made by somebody else! I personally wonder how many people as of yet have been fired because of doing something malicious with the source code, while they claimed it wasn't them. Given this knowledge, I believe them: another employee could easily have changed his e-mail address to the e-mail address of the other programmer and make some malicious changes to the code base. I can't even begin to imagine what consequences this may have some time in the future, or may have had, for some people.

It also invalidates the way you advertise the product. Your company has claimed that the software will "Show a profile of the user that made the change", which is of course false. Rather, it "Show[s] a profile of whoever the user that made the change claimed to be".

It is perhaps the most basic functionality one could expect of this software.

But this is all I can say in 2k characters.

Rega

Seb Ruiz Atlassian Team May 15, 2012

Hi Rega,

What you are describing is a requirement of Git, not FishEye. There is an important distinction between committer and author of changes in Git - you can read more about distributed workflows here: http://git-scm.com/book/en/Distributed-Git-Distributed-Workflows.

In order to achieve what you are looking for, you would need to setup a git commit hook to validate that the author of the changesets being pushed match the username for authentication.

Please remember, that FishEye is simply a magnifying glass into your repository and cannot change or enforce requirements that you have in your processes. It simply is a reflection of it's state at any point in time.

Dear Seb and Joe,

Thanks for your answers. In my opinion that's still a terrible flaw, but not in the design of FishEye but in that of Git. While I understand those workflows, I believe that if nobody can be given a responsibility it should be that of the person allowing the changes in his repository, rather than being able to give the responsibility to whatever a person set his e-mail address to.

Is there any version control system supported by FishEye that does not suffer from the same flaw?

Edit: How would I go about checking the username used for authentication in the commit hook? I know how to update those scripts, but how do I get the used username?

Regards,

Gerben

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published Thursday in Agile

How Davin Studer gets Confluence to do everything he wants it to do...except dishes

  @Davin Studer holds many interests, including but not limited to health tech and Star Trek. Read on to discover more about Davin, from his favorite Confluence macros to his favorite lit...

190 views 1 9
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you