惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

GbyAI
GbyAI
N
News and Events Feed by Topic
D
DataBreaches.Net
MongoDB | Blog
MongoDB | Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Engineering at Meta
Engineering at Meta
T
Tailwind CSS Blog
博客园_首页
Microsoft Azure Blog
Microsoft Azure Blog
Y
Y Combinator Blog
博客园 - Franky
Hugging Face - Blog
Hugging Face - Blog
月光博客
月光博客
A
About on SuperTechFans
I
InfoQ
S
Securelist
Last Week in AI
Last Week in AI
S
Schneier on Security
C
CXSECURITY Database RSS Feed - CXSecurity.com
Hacker News: Ask HN
Hacker News: Ask HN
Schneier on Security
Schneier on Security
Know Your Adversary
Know Your Adversary
腾讯CDC
大猫的无限游戏
大猫的无限游戏
S
Security @ Cisco Blogs
博客园 - 三生石上(FineUI控件)
Simon Willison's Weblog
Simon Willison's Weblog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Tor Project blog
美团技术团队
aimingoo的专栏
aimingoo的专栏
G
Google Developers Blog
罗磊的独立博客
Vercel News
Vercel News
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
The Cloudflare Blog
S
Secure Thoughts
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Latest news
Latest news
Recent Announcements
Recent Announcements
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
L
LINUX DO - 热门话题
Security Latest
Security Latest
TaoSecurity Blog
TaoSecurity Blog
Cyberwarzone
Cyberwarzone
有赞技术团队
有赞技术团队

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Your Git Log Is a Legal Document
Bojan Josifoski · 2026-05-29 · via DEV Community

In 2024, Orca Security sued Wiz and demanded their full git version control history. Orca wanted to see "when features and functions were added, modified, or altered, including through engineers' notes and comments." The court recognized git history as relevant evidence in a software IP dispute. It ordered production of commit logs tied to two specific features.

That ruling should concern you. Your commits record author name, email, timestamp, and content hash. Git chains them together cryptographically, replicates them across clones, and makes them discoverable in litigation. You are building a legal record whether you intend to or not.

You already use git as a development tool. It is also a chain of custody for intellectual property. And you are probably destroying yours.

A Cryptographic Chain of Custody

Every git commit stores five things: the content of the change, the author's name and email, the author's timestamp, the committer's name and email, and the committer's timestamp. That commit is hashed using SHA-1 (or SHA-256 in newer repositories), and the hash incorporates the hash of the parent commit. Change one byte anywhere in the chain and every subsequent hash changes.

This is a Merkle DAG. The same data structure that makes blockchains tamper-evident. Your commit history is a cryptographic proof linking each change to all previous changes.

Git records three layers of timestamps. AuthorDate is when the content was written. CommitterDate is when it was finalized into the repository. And the server-side push timestamp, recorded by GitHub or GitLab, marks when the remote received the data. That third timestamp is outside the developer's control.

A clone is a full copy of the entire history. Your collaborators, CI runners, and backup systems each hold an independent replica. Forensics researchers call this "evidence proliferation." Tampering with one copy does nothing if fifty others exist unchanged.

Under Federal Rules of Evidence 902(14), data verified through a process of digital identification can be self-authenticating. Hash verification qualifies. Your git history records what you wrote and proves nobody changed the record after you wrote it.

Git History in Court

In Orca v. Wiz, the court agreed git history is relevant to IP disputes but denied the blanket discovery request as overbroad. It granted a targeted request for specific features instead. Well-structured git history with clean attribution is more useful in court than a sprawling monorepo dump.

Krause v. Titleserv shows what happens without version control evidence. An independent contractor wrote 35 programs over 10 years with no written IP assignment. The relationship ended, and neither side had clean evidence of who built what. The contractor took his notebook containing the only source code copies. The company had the running executables but no development history. The Second Circuit spent years sorting out what should have been a straightforward question of authorship. A git log would have resolved it in an afternoon.

SCO v. IBM collapsed partly because SCO could not point to specific lines of infringed code. The judge called it "astonishing" that they offered no competent evidence. Version control history documenting who wrote which lines and when would have been the foundation of that case. Without it, SCO had nothing.

Doe v. GitHub, the class action against Copilot, alleges that GitHub stripped authorship metadata from training data. The DMCA Section 1202(b) claim treats attribution data as legally protected copyright management information. Your name in a git commit qualifies. Stripping it out is a potential legal violation. That case is still active.

How Developers Destroy Their Own Evidence

Squash merging is the most common way. A pull request with 15 commits gets squash-merged into a single commit. Before GitHub fixed this in December 2019, the squash commit was attributed to whoever clicked the merge button. The original author disappeared. Even now with co-author trailers, the granular timeline is gone. Fifteen data points reduced to one.

Rebasing rewrites commit hashes. Force pushing overwrites the remote. If those commits existed on one machine and one remote, the evidence is gone. New hashes, new CommitterDates, broken chain. The cryptographic proof that your history is tamper-free now proves it was tampered with.

Researchers studied 111 million repositories and found 1.22 million with altered histories. 8.7 million rewritten histories total. The reasons were mundane: retroactive license changes, removing committed secrets. From a legal perspective, each rewrite weakens the evidentiary value of the whole chain.

Shared commit accounts are worse. Teams using a single identity like deploy@company.com or generic CI bot accounts destroy attribution at the source. Research across 2 billion git commits found over 23 million author identities, with major problems linking them to real people. If your commits are attributed to a shared account, they are not attributed to you.

Leaving a company adds another layer. You lose access to the repositories. If the company deletes the repo, migrates without history, or folds, your proof of authorship goes with it. GitHub deleted repos are recoverable for 90 days. After that, years of work have no provenance.

Three Things Developers Get Wrong About Copyright

The first is that paying for code means owning it. It does not. Under 17 U.S.C. Section 201, the author owns the copyright unless there is an explicit work-for-hire arrangement or a written assignment. For independent contractors, work-for-hire requires a signed written agreement AND the work must fall into one of nine statutory categories. Software does not fit those categories. CCB Journal published an analysis concluding the work-for-hire doctrine "almost never works in software development contracts."

If you are an independent contractor and your agreement has no copyright assignment clause, you own what you wrote. The client paid for the service. They received a license to use the deliverable. They did not receive the intellectual property. This surprises both sides when it matters.

Only 28% of freelancers use a written contract for any given project. Of those who do, 68% have unknowingly signed away IP rights. The gap between what developers think their contracts say and what they actually say is where disputes start.

The second is that git history is bulletproof evidence. It is not. Author fields can be set to anything. Local timestamps can be faked by changing the system clock. Without GPG-signed commits or server-side push timestamps from a third-party platform, git history is strong corroborating evidence but not conclusive on its own. The Orca v. Wiz court treated it as relevant but still pushed back on scope. It strengthens your position. It does not guarantee it.

The third is that copyright requires registration. Under the Berne Convention, protection is automatic in 182 member states the moment you write the code. But in the US, registration unlocks three things you cannot get without it: the right to file an infringement lawsuit (Fourth Estate v. Wall-Street.com, 2019), statutory damages up to $150,000 per work for willful infringement (17 U.S.C. Section 504), and recovery of attorney's fees (Section 505). Without registration, you can recover actual damages only, and for code, proving a dollar amount is a different kind of fight.

The $45 Insurance Policy

US copyright registration for source code costs $45 through the Electronic Copyright Office. You submit the first and last 25 pages of source code. If trade secrets are a concern, you can redact portions or submit only the first and last 10 pages. Processing takes about four months. Expedited review costs $800 and takes five business days.

There is no citizenship requirement. International developers building for US clients can and should register. Without registration, you have automatic protection under Berne but no access to statutory damages or attorney's fees in US courts. For anyone doing contract work for American companies, $45 buys a legal position that is otherwise unavailable.

Timing is critical. 17 U.S.C. Section 412 limits you to actual damages if infringement starts before your registration is processed. No statutory damages. No attorney's fees. Fourth Estate confirmed the Copyright Office must process the registration before you can file suit. If a dispute starts and you have not registered, you are waiting months before you can do anything. Register before you need to.

Unicolors v. H&M (2022) confirmed that inadvertent errors on your application do not invalidate the registration. Deliberate falsehoods at the time of filing would. Honest mistakes do not.

What To Do Now

Sign your commits. GPG or SSH signatures prove the commit was made by the holder of a specific private key. GitHub stores the verification record with a timestamp that cannot be edited after the fact. A signed commit is a verified attestation. Without the signature, a commit is a self-reported claim that anyone could have authored.

Stop squashing by default. Clean git history looks nice and destroys legal evidence at the same time. A merge commit preserves the full branch history with every original author, timestamp, and message. A squash commit erases all of it.

Keep your own remote. If you are a contractor, maintain a clone on infrastructure you control. A remote with its own server-side timestamps that survives the end of the engagement. You are preserving proof of authorship, not taking code that belongs to someone else.

Use your real name. Commits attributed to deploy@company.com or ci-bot or jane@computer.local are not evidence of your authorship. They are evidence that someone pushed code. Use a real name and a verifiable email.

Write commit messages for a reader who does not know the codebase. "Fixed stuff" tells a judge nothing. "Implemented webhook deduplication using idempotency keys to prevent duplicate order processing" documents original engineering work. Your commit messages are the narrative layer of your contribution.

Register your copyright. $45 and a four-month wait. Do it before anything goes wrong. Section 412 does not care about your reasons for waiting.

Read your contracts. All of them. Look for two clauses: copyright assignment and IP ownership. If neither exists, you likely own what you build. If both exist and are specific, you likely do not. If the language is vague, that is where disputes live. Clarify it before you write the first line of code.

The Record

If you have a GitHub account, you are building a legal record right now. Your commits could be subpoenaed, analyzed, and presented in a courtroom. The name on those commits, the integrity of your history, your signatures, your registrations: those are decisions you are making today that you cannot make retroactively.

You will probably never face a copyright dispute. But if you do, your git log will be one of the first things a lawyer asks to see. Make sure it says what you need it to say.