Lately I've been exploring the vast and terrible world of intellectual property law and people seem to think that if you create something(software) on your time, with your equipment, it typically belongs to you. I know there are many exclusions to this and a couple of really good and informative posts on the subject. But now I'm mostly just curious about the means someone violating this agreement could be proven guilty.
My question is, is it possible to link a specific git commit to the computer it was committed with? How?
When you push to a Git repository over HTTP, HTTPS, or SSH, the remote server generally creates logs of what time the connection occurred and what IP address it originated from. However, most companies employ NAT, resulting in multiple computers on a network sharing the same public IP address.
Some examples logs:
# SSH
Feb 8 01:08:37 git-server sshd[12619]: Accepted publickey for git from 192.168.1.100 port 63012 ssh2: RSA SHA256:XxXxxXxxXXXxXX
Feb 8 01:08:37 git-server sshd[12619]: pam_unix(sshd:session): session opened for user git by (uid=0)
# Apache HTTP(s)
192.168.1.100 - - [8/Feb/2016:22:03:18 +0000] "GET /repos/info/refs HTTP/1.1" 200 153
Additionally, Git is decentralized, so the computer that actually pushed a commit did not necessarily author the commit.
A commit is generally tied to a name or username of some sort, and an email address; however, this can be changed at the time of committing without creating a record of what it was before and what it is now.
This is as simple as:
$ git config user.name "John Doe"
$ git config user.email johndoe@example.com
$ git commit
$ git config user.name "Jane Otheruser"
$ git config user.email janeotheruser@example.com
So, in short, there are heuristics that can point to who authored a commit and from where, but it is absolutely not absolute. Git itself does not record unique identifying information about the computer on which a commit was authored.
Version Control Systems like Subversion, in which all commits are immediately pushed to one central repository, are more easily linked to a Public IP, but are still not linked to an individual computer or user.