It's the actual source code, but this is the result of two known WONTFIX issues on GitHub:
* Any commit can be attributed to any user on the site by way of the author/committer fields in git. No authentication or checking is done.
* Any content can be attached to any repository that accepts pull requests, and will be accessible on that repository's url if you have its hash (previous discussion: https://news.ycombinator.com/item?id=24882921)
GitHub allows enterprise customers to run their own GitHub instance on-premises, so any one of those could have peeked inside the VM and pulled out the source code.
No. Commits are trivial to fake because there's not authentication on the commits themselves.
How to commit as nat:
```
git config --global user.name "Nat Friedman"
git config --global user.email "nat@nat.org"
git add .
git commit -m "felt cute, might put gh source code on dmca repo now idk"
```
You can pretty much add any email address to commits. This is why you cannot trust any commit unless they've been signed with a public key assigned to an account or email address (aka "Verified" on Github/Gitlab, or verified with a trusted GPG key, or some other method you consider reliable enough for code signatures).
It's not actually pushed to the DMCA repo, it's pushed to a fork. GitHub will show the commit from the fork as if it's from the main repository if you specify the commit hash in the url. See this comment from yesterday for more details [1], with a proof of concept on the linux kernel repo [2].
I'm surprised that it includes a README and other development-only files. I would have expected they would have removed anything that's not necessary for actually running the site, to minimize risk.
It has been a few years since I poked at it last, but there is some light obfuscation and inline comments on how to remove it. They fully expect people to peak under the hood but at least make it difficult for someone who has no idea what they are doing to break things.
17 comments
[ 3.0 ms ] story [ 46.3 ms ] thread* Any commit can be attributed to any user on the site by way of the author/committer fields in git. No authentication or checking is done.
* Any content can be attached to any repository that accepts pull requests, and will be accessible on that repository's url if you have its hash (previous discussion: https://news.ycombinator.com/item?id=24882921)
More civil disobedience than hack, really.
https://enterprise.github.com/faq
How to commit as nat: ``` git config --global user.name "Nat Friedman" git config --global user.email "nat@nat.org" git add . git commit -m "felt cute, might put gh source code on dmca repo now idk" ```
You can pretty much add any email address to commits. This is why you cannot trust any commit unless they've been signed with a public key assigned to an account or email address (aka "Verified" on Github/Gitlab, or verified with a trusted GPG key, or some other method you consider reliable enough for code signatures).
The git book has an explanation on how to set up code signing if you're curious: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
[1] https://news.ycombinator.com/item?id=24976138 [2] https://github.com/torvalds/linux/tree/5895e21f3c744ed9829e3...
1. Fork a repo.
2. Make a commit using someone else's email address.
3. Push to Github.
You can then link to the commit in the original repo and it will look like it came from someone else.
https://enterprise.github.com/faq