3

Say, we have a number of people working on some kind of collaborative effort (such as a research paper or a software project) that is committed into a shared repository. However, a certain subset of these people are also conspiring against the rest of the people involved so as to deny them authorship. The motivations could be, for example, taking credit for other people's work, denying others the recognition or money they deserved as contributors, and so on.

The threat model here involves institutions without a fixed control structure and without an effective higher authority located in-house which could resolve such a dispute, as is often the case for hobby projects worked upon by friends, and in certain situations, research papers. (Just to be clear, we do have a judiciary where legal disputes can be brought.)

Timestamps and authorship information in the repository itself does not provide any valid proof, since the conspirators can just as easily recreate another version of the repository which would show that the commits have been made just by them.

Is there a protocol, which, if followed by every person committing to the repository, would allow the victims to prove their authorship should a dispute arise?

  • Can't you see all the commits and when and who did them? then you will be able to detect who uploaded it first... – Bubble Hacker Jul 17 '16 at 18:54
  • @BubbleHacker -- commits can be forged, nor is a description of such a system necessary to remove the possibility of maintaining a "clone" of revision history.. – zetavolt Jul 17 '16 at 19:00
  • @ZephyrPellerin You can always use keys do identify the user – Bubble Hacker Jul 17 '16 at 19:01
  • @BubbleHacker That doesn't resolve a thing as all parties have plain-text and can, I'll repeat again here, simply clone the revision history with their own modifications. – zetavolt Jul 17 '16 at 19:02

3 Answers3

4

You need a trusted 3rd-party to witness and vouch for every commit. For example, if you use an online repository such as GitHub, then there is an online record of each commit. If you are not using a trusted 3rd-party service, then you need to use a notary or similar service. This could be a person who witnesses each commit, or an online notary that performs the work electronically. You could simply mail or email commits to a trusted person (perhaps an attorney).

All of these solutions rely on the trustworthiness of the 3rd-party.

Note that all of these solutions only prove that the work existed at a specific date. They cannot prove whose brain the work originated in. For that you'll need a mind reader.

Neil Smithline
  • 14,621
  • 4
  • 38
  • 55
  • By "online record" are you referring to the "commit logs"? That can easily be faked. –  Jul 17 '16 at 19:13
  • @user2064000 - Do you have a link to a specific problem that you are concerned with? I think GitHub will meet your needs for this. Even if it doesn't, the concept of using a trusted 3rd-party still holds. – Neil Smithline Jul 17 '16 at 19:31
  • 2
    @user2064000: Commit logs can be faked by the client, but if each user uses their own client and commits directly from the client to the trusted server (GitHub), then the conspirators have no opportunity to tamper with your logs. More importantly though, GitHub authenticates all users (using username+password or SSH public keys) and tags commits by which user made them. If each contributor has their own GitHub account (and the conspirators don't know your login credentials/have your private key), then your commits will be indelibly identified as yours. – CBHacking Jul 17 '16 at 20:23
  • @CBHacking - But then it's a "he said/she said", the commit logs can be destructively removed and *someone* has a fake history -- how do you prove who? – zetavolt Jul 18 '16 at 08:47
  • @ZephyrPellerin: Are you saying GitHub allows irreparably deleting the record of who pushed a commit? That's very much news to me, if so, but I'm not an expert with either Git in general or GitHub in particular, so maybe it true. Seems like a bad design on their part, though. – CBHacking Jul 18 '16 at 09:14
  • @ZephyrPellerin can you provide a link to documentation that GitHub allows this? – Neil Smithline Jul 18 '16 at 13:51
  • @NeilSmithline @CBHacking It's not Github responsibility to control this, nor should they -- every time a repository is rebased, all subsequent hashes are changed, commit amending does so as well (at least for your own). If you really want to try this at home you can run `git filter-branch --env-filter 'GIT_AUTHOR="zv"' && git push -f`. – zetavolt Jul 18 '16 at 19:37
  • The solution would be to set their Github user permissions where they can only submit a PR. And make a trusted employee have the ability to accept/merge them as well as do all this dangerous stuff you guys are speaking of. This should be set up like this anyways. Otherwise if everyone has full control and can push whenever you have a too many hands in the cookie jar situation and code reviews are least likely to happen. – Bacon Brad Jul 28 '16 at 23:00
0

You can log into that site using http://www.icanprove.de . You just should change your passwords afterwards as a precaution.

Martin Loehnertz
  • 31
  • 1
0

You always need a trusted third party to solve these problems. There are, however, some interesting approaches using the public itself as a trusted third party.

The classic example uses a newspaper and the classifieds section. When you have a piece of work you want to prove authorship for, you take a checksum of it (SHA-1 perhaps), sign it (with RSA perhaps), and then take out a classified ad with the contents of that signature. You then wait at least a day before revealing your work.

Anyone who wants to authenticate your work simply takes the checksum and verifies that it is indeed the checksum you put in the classified, and then verifies that you were the person who signed it.

Someone who wants to steal the work has to sign that checksum and put it in a classified ad as well. However, since they don't know the content of the work until you release it, they have to put an ad in the next day's newspaper. Thus they can claim to have authored the work, but you can always point out that your classified ad posted a day before theirs. The only way they could have authored it and you posted first is if you stole the work before it was made public.

This process can be easily applied to a Git repository by tagging your work with your signature, and then publishing the tag in a classified ad.

Cort Ammon
  • 9,206
  • 3
  • 25
  • 26