It seems pretty easy to spoof other users in an Git repository on Azure DevOps, since there is no built in way of preventing this.
I can change the committer using
git config --global user.email "[email protected]"
git config --global user.name "foo"
And I can change the author using
git commit --author="foo <[email protected]>"
Azure DevOps allows me to simply push these changes. Again, there doesn't seem to be a default way to make ensure commits are really from the claimed author.
Of course, I am shown as the person who pushed them. However, if my repository is ever moved to another Azure DevOps project, this information will not be transferred to the new location, because there the code is pushed by the user performing the move.
If we need to know for sure who changed what code, for auditing reasons, what would be the best approach? Is this at all possible in Azure DevOps with Git? Or do we need to switch to a different source control system?
CodePudding user response:
If we need to know for sure who changed what code, for auditing reasons, what would be the best approach?
You should have your developers cryptographically sign their commits using GPG Keys. See documentation from GitHub, or the Git book, etc.
You should also configure your CI environment to reject commits that do not have a valid signature.
CodePudding user response:
It seems pretty easy to spoof other users in an Azure DevOps Git repository.
Note that commit authors are unrelated to Azure DevOps. A better way to state your first sentence would be
It seems pretty easy to spoof other users in a Git repository.
Yes, that's true, because the commit authors can be set to any names the pusher wants them to be, similarly how the authors of printed books can be set to any names the publisher wants them to be. (For example when a book has a famous person's name on the cover but was actually written by a ghost writer. Surely people use famous people as the author in Git as well, and sometimes for nefarious reasons.)
If you want to get (closer) to trusting that the commit authors are who they say they are, then see larsks's answer regarding signing commits.
Now, for the AzDO specific implementation of the push logs on the server side, you can see that is showing correctly. You mentioned:
However, if my repository is ever moved to another Azure DevOps project, this information will be overwritten with the user performing the move.
Note, it would not be "overwritten"- the original push logs from this project would remain, but you would have another push log for the new project. If there was ever a question about something in that newly pushed repo, one might ask that pusher where they got it from.