17 comments

[ 3.0 ms ] story [ 46.3 ms ] thread
Why is it committed by nat himself? I assume it's a tease of github source code being open sourced similar to GitLab?
I bet on a hack.
It's definitely a hack. Look at the commit message.
Commit is not signed, it could have been anyone, just by changing the email/username in gitconfig.
Is it the actual source code then? Was it an internal leaker or was GitHub's repo compromised? I have so many questions.
It's the actual source code, but this is the result of two known WONTFIX issues on GitHub:

* Any commit can be attributed to any user on the site by way of the author/committer fields in git. No authentication or checking is done.

* Any content can be attached to any repository that accepts pull requests, and will be accessible on that repository's url if you have its hash (previous discussion: https://news.ycombinator.com/item?id=24882921)

More civil disobedience than hack, really.

GitHub allows enterprise customers to run their own GitHub instance on-premises, so any one of those could have peeked inside the VM and pulled out the source code.

https://enterprise.github.com/faq

No. Commits are trivial to fake because there's not authentication on the commits themselves.

How to commit as nat: ``` git config --global user.name "Nat Friedman" git config --global user.email "nat@nat.org" git add . git commit -m "felt cute, might put gh source code on dmca repo now idk" ```

You can pretty much add any email address to commits. This is why you cannot trust any commit unless they've been signed with a public key assigned to an account or email address (aka "Verified" on Github/Gitlab, or verified with a trusted GPG key, or some other method you consider reliable enough for code signatures).

The git book has an explanation on how to set up code signing if you're curious: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work

Sorry I'm confused - what are the implications of this?
Anyone can do this.

1. Fork a repo.

2. Make a commit using someone else's email address.

3. Push to Github.

You can then link to the commit in the original repo and it will look like it came from someone else.

But where do you get the GitHub source code for step 2?
Work for a company that licenses GitHub Enterprise and lift the source code from the appliance

https://enterprise.github.com/faq

I'm surprised that it includes a README and other development-only files. I would have expected they would have removed anything that's not necessary for actually running the site, to minimize risk.
It has been a few years since I poked at it last, but there is some light obfuscation and inline comments on how to remove it. They fully expect people to peak under the hood but at least make it difficult for someone who has no idea what they are doing to break things.
(comment deleted)