

GitHub's email correlation for authorship - timf
http://github.com/timf/hubsecurity

======
timf
This was just me verifying what I saw, that if you push commits to GitHub, it
correlates the email address of authors introducing commits elsewhere. You can
make it look like anyone you want is contributing patches, the avatar shows
up, etc. This example commit does NOT show up in dhh's timeline, though.

I am not going to start requiring PGP signing for my projects, they are not
big enough to miss something fishy. This was just something I hadn't
considered, it is probably an obvious issue to many already.

~~~
lenni
Would you care to elaborate a little? I only understand it partially.

So, you aren't 'dhh' but you commited using his email address and it showed up
as him?

~~~
clemesha
You have it correct. What you say in your second sentence is exactly the
issue.

If this is "actually" a big issue or not is another question.

~~~
technoweenie
Sure, all it does is links the commit to a github login. It doesn't somehow
give you access to any data that's not yours. You've just discovered another
way to post spam.

------
petercooper
We could call this "joe patching," named after the similar issue of "joe
jobbing." :-)

------
adbge
Might be an issue in that it could be used to damage someone's reputation by
spoofing their avatar/etc and then trying to push malicious commits. That's
what occurs to me at first glance, anyways.

------
tav
I'm not really sure why this is an issue at all. Yes, "rogue" repositories
could claim that you'd authored various commits. But, why would people be
looking at these repos in the first place?

There's a very strong builtin trust mechanism on GitHub — mainly due to the
fact that repositories hang off of "users" instead of them hanging off of
"projects".

And, myself, when browsing around aimlessly on GitHub, tend to check out
either reputable projects (where such behaviour is not likely to go unnoticed)
or the repos of a hacker i'm interested in — who surely doesn't have much
reason to fake their own commits? ;p

Heh, maybe this could be the basis for a GitHub Reality TV show. "Tonight: DHH
fakes his own death!" ;p

------
oomkiller
Git makes PGP so ridiculously easy to do (as far as unix goes) that it
shouldn't be that big of a deal to add the option.

------
jrockway
Just like regular mail, e-mail, the bylines on articles, people on the phone,
...

If you don't want people to worry about the integrity of your code, then "git
tag -s" to sign a tag. Signing a tag makes it possible to verify the
authenticity of the entire branch to that point.

------
JamesBastard
Github has a bunch of security holes.....you'd be surprised what's out there
right now....

here's a screenshot from some of my github expliots...

<http://i.imgur.com/irL01.png>

~~~
colonelxc
I don't get it? It looks just like the "explore" page on github... am I
missing something?

~~~
there
the top trending project is a project he created to get to the top of the
trending projects list.

