Also remember that you can trivially fake author name, email and date in git and thus github. Only the github-side push log will tell which user pushed what, the commit log can lie all it wants.
Most notably, you can backdate a commit and github won't even show it in the commit log (because it uses strict commit date order).
Yes, but also remember that you'll get loud warnings about non-fast-forwards thanks to the cryptographically secure SHA1 hashes. This means that the repo admins and downstream clones can trivially detect history rewrites for branches they have fetched. Unfortunately, there isn't a good way for code-consumers to tell if and when a non-rewrite commit or branch has been "blessed" by an admin rather than some random committer. I guess this means that the README should make some mention of the collaboration policy and the admins should preserve release power to whatever the relevant package manager is.
Most notably, you can backdate a commit and github won't even show it in the commit log (because it uses strict commit date order).