问题
It seems that the most popular versioning systems like Git and others allow for repository history modification - which in turn means that the date of commit/revision can be very easily forged. If one would ever want to retrospectively check the development process of a project hosted on GitHub, none of the information will be guaranteed to be true.
Accuracy of dates (and authorship as well) can be crucial for copyrighting and retrospective validation from a third-party, so I've been wondering: What is the common practice for keeping your code's availability online properly time-stamped? To add an analogy, Youtube doesn't allow users to change the date of videos uploaded, so it's clear to see which video was the original, as potential forgery would have to come from Youtube's dev team directly, which is highly unlikely and conspiratorial.
Are there any workarounds in distributed version systems to achieve this? If not, are there any online code storages where the commit date is not modifiable or where the upload date of the contents is stored and available for display?
Thank you for your time,
VA
回答1:
This has nothing to do with history rewrites, anyone can trivially forge timestamps on any system they administer. If you really need an unforgeable timestamp you should be putting the output from a digital timestamping service in your commit message, it'd be easy enough to set that up, feed the output of git write-tree to the timestamping api, wait for the result, put that in the message.
回答2:
- If you want to use DVCS without rewriting (public) history - use this DVCS (Mercurial), not Git
- Date of commit isn't in any case trusted data, you have to rely on hash of changeset (and singing of all commits, probably)
来源:https://stackoverflow.com/questions/59933869/indisputable-time-stamping-for-code-in-distributed-versioning-systems