1

I want to use git as an electronic lab notebook (see https://github.com/cboettig/labnotebook for an example). However, I am concerned that, since it is possible to rebase, the integrity of my research data could be questioned. Is there a way to verify that a git repository hasn't been rebased? I know that rebases are stored in the reflog, but those are deleted after 30 days.

Alternatively, I know I could use mercurial and this wouldn't be an issue.

Koppology
  • 262
  • 1
  • 2
  • 6

1 Answers1

1

The way to ensure the integrity of the history is to store elsewhere the SHA1 of the current HEAD when you are pushing new commits to your repo.

If that SHA1 is no longer part of the history later, that means some kind of "history rewriting" (rebase, push --force, ...) has taken place.

But the repo itself, aside from the reflog, doesn't keep an audit trail of the operations taking place in it. For that, you would have to add an authorization layer like gitolite, which comes with said audit trail.

Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Thanks for the reply. For future reference, I found a website www.timecert.org that timestamps hashes and offers third-party verification. I like that idea, but I don't know if that offers a long-term solution since I don't know about how long it'll be around. – Koppology Oct 08 '13 at 16:56
  • @Koppology interesting, but TimeCert doesn't seem to be much active now: https://github.com/pelle/TimeCert – VonC Oct 08 '13 at 18:42
  • @VonC that or it's stable. [drupal.org says the code is in light but continuous use and has been for years](https://drupal.org/project/usage/timecert) and [the wayback machine says that site's been up since 2006](http://web.archive.org/web/20060424201108/http://timecert.org/). It can't be expensive to host. Perhaps OP could get his university to host an instance, it's better that way anyway, they'd control the logs. +1 from me anyway, the crucial issue is log control. – jthill Oct 09 '13 at 01:23