[facetube]

Alternatively, they could provide some sort of on-page indication of a credentials/e-mail mismatch, i.e. detect and publicly report when the HTTPS/SSH credentials used for a `git push` aren't associated with a verified e-mail address matching the commit's `user.email`.

I reported this issue a long time ago to their security team, and got a really condescending "we're a collaborative community, it's not a problem, you obviously don't understand" type of response. Pretty frustrating.

[jakobegger]

But isn't it somewhat reasonable that I push someone else's commit? Say I want to rewrite an old commit, and then force push that, then all the commits after the rewritten commit by other people would effectively be pushed by me.

Or consider the common case where the public repository on Github is just a mirror of an official repository somewhere else -- then commits from a bunch of people would all be pushed by whoever is responsible for keeping the repos in sync.

But maybe Github could just add some kind of a "pushed by" label that identifies the Github user who pushed the commit?

[mschuster91]

> But isn't it somewhat reasonable that I push someone else's commit? Say I want to rewrite an old commit, and then force push that, then all the commits after the rewritten commit by other people would effectively be pushed by me.

Even worse: rebasing (what rewriting an old commit actually does) changes all SHA hashes of the following commits, thus breaking existing PGP signatures on the commits. There should be two signatures... one for the patch+comment, one for the history.

[mrsuprawsm]

They do have a "committed by" feature that appears when you cherry-pick someone else's commit to a branch.

It shows up as "Bob committed with Alice".

I've only noticed it showing up for cherry-picks, I'm unsure if that's the only place it's used.

[terinjokes]

They show that if the git commit has differing author and committed fields (It shows up when I reorder and squash commits on branches before merging).

All one has to do to make it go away is change the committer field on the git, this isn't security added by GitHub.

[facetube]

Yeah, the "pushed by" indicator would be a great idea IMO.