Email or username:

Password:

Forgot your password?
Top-level
Hector Martin

@stsp It's possible by design because the Git protocol has no concept of "who opened a merge request" since merge requests themselves are not part of the protocol. Anyone can fundamentally claim credit for any code *merge* on GitHub by design. What they can't do is claim credit for the code (commit authorship *is* part of the protocol).

The only fix would be for GitHub to stop auto-marking PRs as merged when merge commits are pushed, but that would make things awkward since manual merges would not allow PRs to be marked merged at all. Or I guess they could do some hack where this only works if the PR author has at least one commit authored or committed by them in the merge branch. But that's hard to explain.

1 comment
Stefan Sperling

I see, thanks for the explanation.

Yeah, it's clear that anyone can mirror anyone else's merge-commits and that this needs to be allowed by the Git protocol. There's an implicit assumption that authenticated users won't push garbage to servers, and in a distributed system this assumption is hard to avoid since such things cannot possibly be verified on every server.

Seems like the best solution would indeed be requiring PRs not merged via the web UI to be closed manually. I can see how Github might be afraid that people would find this too inconvenient. I myself would prefer a solid design over such convenience, though.

I see, thanks for the explanation.

Yeah, it's clear that anyone can mirror anyone else's merge-commits and that this needs to be allowed by the Git protocol. There's an implicit assumption that authenticated users won't push garbage to servers, and in a distributed system this assumption is hard to avoid since such things cannot possibly be verified on every server.

Go Up