Git “git config --global user.name” why does this option exist?

Question

Git Beginner Alert! I have a basic question as to WHY does GIT allow one to change the user name as a config option

 git config --global use         


        

Answer 1

1. As Greg notes in a comment, that can only work in a pure-push workflow. There are many others, including pure-pull, email, git bundle, or any mix of these.
2. It can't quite work for technical reasons: the identity of a commit is a cryptographic checksum of the complete contents of that commit, including the commit's author and committer fields. These must be assigned at the time the commit is created, and once assigned, can never be changed: to "change" any part of a commit, you copy it to a new commit object, which gets a new commit hash, which is only identical to the original commit if it's bit-for-bit identical. In other words, I can impersonate you by copying your commit bit-for-bit, including all the source, the log message, the time stamps, and so on. But to do that I have to get your commit, after which my copy is just your commit. In which case, it is your commit, and it should have your name on it!
3. There are often good reasons to separate the exposed identity (user name and email) from any authentication credentials: for instance, the credentials I use to authenticate to GitHub are different from those I use to authenticate to other locations. Yet I am still the same person. One could add a level of indirection—I authenticate using credentials A, and then the site maps A to B to get my name (and in fact GitHub does just that with ssh since one "logs in" as git@github.com)—but that puts all the power in the hands of the site. That's contrary to the design philosophy.

Should you wish to establish the authenticity of some particular commit—e.g., you obtain a commit whose ID is 99154acf3ba... or some such, and it claims to be authored by Linus Torvalds or Bill Gates or Barack Obama or whatever—Git provides the ability to use some external authentication service, such as PGP, that uses digital signatures and all their complexities (including both Chain of Trust and revocation). This particular field has, shall we say, some ongoing developments, some of which affect Git somewhat.

(PGP authentication via GPG is built in to Git but done by external programs. The particularly glaring weakness here is that a signed tag or commit verifies only the one tag or commit itself. Further authentication depends on the security of the Merkle tree, which is not quite compromised for Git's usage of SHA-1 yet, but is getting suspect: see linked StackOverflow question.)