Ownership in Git, a very thin wall to break.
I’m assuming you already know the basics of Git. init, add, commit, push. But Git is so much more than that under the hood. in this blog, I’ll detail one such deep dive about ownership. Should be obvious, right? The person who committed that line of code, owns it.
History
Git is the most popular source control tool out there but it was far from the first. There was Bitkeeper, Subversion which were popular in early 2000’s. Yet Git took them all by storm, just how? Well partly due to it’s distributed nature, you didn’t need to be a connected to a central server to write code. It also simplified access controls, anyone can just create their own copy or branch and start coding, it just made things simpler. But it also had a drawback.
The Problem
Due to Git’s distributed nature, there’s no central authority to verify the email address and username you configure for it. This means you can just put anyone’s credentials in it and Git will happily use it in your commits. You can argue that why doesn’t Github, being the biggest of Git providers do something to verify ownership? It sort of does
Bandaid
Optionally, you can sign your commits with a GPG key which you can also put in GitHub to verify it’s really you who made the commit. No one really uses this except huge corporations. You can also disable force pushes to your repository, so that a past commit doesn’t get altered. The majority of repositories don’t have either protections. Either also don’t protect from someone copying your work or impersonating you.
Rewriting Git Histories
Almost a decade ago, jayphelps made git blame-someone-else which changes the author of a commit to anyone you want. It also means you can pretend to be anyone in a Git commit and Github will happily show their profile photo and everything.
So is Git and Github just based on trust now? That is a very thin wall.
Breaking the thin wall
Consider a scenario where I just stole someone’s project, went through all their commits and made myself the author. Now we have 2 repos with the exact same histories with different authors. How can you know for sure which is the real one? Who knows. But it’s certainly fun so I made a tool out of it which does all this work for you.
I present to you regit, a CLI tool written in Go to efficiently rewrite histories. You can either use regit own to effectively own a repository, making you the author of all the commits. There is also regit blame to change the author of all commits to anyone you want basically, even Linus Torvalds, the creator of Git. Here’s the repo if you want to do some totally legal shenanigans:
More features I added
Imagine you have a project with timestamps of it’s commits being scattered over a year. You want the timestamps to become the past 24 or 48 hours for some reason cough hackathon. Then there’s a retime command in the CLI to help you do that, check it out by doing ./regit retime -h . If you have any suggestions about more features you’d want then let me know in the comments!
