How I got Linus Torvalds in my contributors on GitHub

Before starting, you can see for yourself by clicking on the link → https://github.com/martiliones/icon-set-creator

* don't forget to star project if you like it :)

Idea

One day I wondered why my commits were not showing up in the activity overview. I googled and found on StackOverflow that GitHub uses your git email to link to the profile instead of the authentication data. So I thought that maybe I can change git email to get a commit from another user without his participation

Realisation

First of all, you need to get e-mail address of a target user. At first my idea was to get the email address from the user's git repository, but then I found that I could use the GitHub API to get it. Here is the GET API method you can run in your browser

https://api.github.com/users/REPLACE_WITH_USERNAME/events/public

You will get list of user events and you can easily find e-mail with search box in your browser (ctrl + F in most browsers, or if "Filter JSON" for Firefox)

Once we get the email address, we can create a commit:

git -c user.name='Linus Torvalds' -c user.email='torvalds@linux-foundation.org' commit -m "JavaScript is my favorite language 💕"

To display your commits in target user Activity Overview at least one of the following must be true:

• User is a collaborator on the repository or are a member of the organization that owns the repository.
• User have forked the repository.
• User have opened a pull request or issue in the repository.
• User have starred the repository.

Results

You can do this with anyone as long as you have a user's email address.

Conclusion

I think GitHub should fix this bug to prevent attacks on profiles. If the target user starred your repository, you can draw something in his Activity Overview as example

Thank you for your time. Share your opinion about it in the comments 👇

Comments

[Chun Fei Lung]

It’s kind of a feature, but still a good find! 😄

Also a good example of why you should sign your commits.

[Param Siddharth]

Don't worry, impersonation is not possible because of commit signing using GPG keys and signing off. GitHub includes a special mechanism called vigilant mode to enable that, but trust me, you don't even need that. The "Trusted" label on each signed commit is the sole authenticity.

[martiliones]

Linking to your GitHub profile in the commits and contributors is impersonating, isn't it? There is no verified label in the contributor list

[Param Siddharth]

Hmmm… Yes, no verified label in the contributors' list. But there will definitely be an unverified label in the commits if the person who is being impersonated has turned on vigilant mode. Also, in any legal processing, such commits would be deemed untrusted, because they won't be signed by the private key of the actual person.

That's why I recommend signing all commits.

[𒎏Wii 🏳️‍⚧️]

What's more, it's why you should require contributors to sign any commit that's of actual legal interest, aka. any non-trivial contribution to an open source repository, so you can prove they willingly submitted their code to the repository knowing the license as well as having someone to blame if it turns out they stole the code :D

[BearOve]

This is how git works and how it has to work. Your authentication is only about write access or not. When you collaborate and merge between branches and many contributors you include other peoples commits all the time. This is by design and is well known. Changing this would require github to not be a compliant git server anymore.

[BearOve]

With that said, I guess they could make it harder to add people to the contributor list. Maybe a user could have an option like "I always sign my commits" and then only signed commits would apply for that user?

[BearOve]

Also, this reminded me a long-standing todo of adding gpg code signing to all my dev environments and I did it now together with vigilant mode as mentioned elsewhere.

[𒎏Wii 🏳️‍⚧️]

I also just turned on vigilant mode. I'd still like to see a more aggressive "if it ain't signed, it ain't mine" checkbox though. I'll sign everything that isn't a non-trivial change and, if I don't, I often even re-commit on my desktop later on so the commit gets its signature.

[BearOve]

I suspect it is complicated to do for edge cases though. Let's say you contributed unsigned and with your email 10 years ago in som git repo currently not on github, and then it is imported now. Then the import would fail and the owner of the repo would not be able to fix it without breaking everyone elses commits

[𒎏Wii 🏳️‍⚧️]

The import doesn't need to fail, it just needs to communicate clearly that the contributor isn't confirmed; maybe by leaving the username greyed out with an "unconfirmed" warning right next to it.

[BearOve]

But then it is basically the same as today, except for the greying out?

[𒎏Wii 🏳️‍⚧️]

Does it already mark unverified contributors? I've never seen that happen on github.

[BearOve]

Because very few enable vigilant mode I guess. Here is one made by me before I started signing my commits

[𒎏Wii 🏳️‍⚧️]

My point is, when I enable vigilant mode, I don't want to show up in any contributor list unless at least one commit on that repository is signed, or at least only appear greyed out or something.

[BearOve]

Of course, agreed

[Francis Grizzly Smit]

how do you turn on vigilant mode I cannot find it.

[Francis Grizzly Smit]

worked it out

[JudicaelD]

As many junior tech you should quickly learn the difference between :

• It's technically possible.
• Oh I shall do that, expose it publicly and make an article about it.

You could get sued for ID fraud, even the most basic.

[𒎏Wii 🏳️‍⚧️]

You could get sued, but nobody would ever bother, much less if you impersonate someone in another country.

[martiliones]

Thanks for sharing your opinion!

[Pietro T.]

this is literally what signed commits are for.

[𒎏Wii 🏳️‍⚧️]

I think GitHub should fix this bug to prevent attacks on profiles

This is neither a bug, nor is it easy to "fix". The solution is to use the right tool for the job and sign your commits.

---

Oh and by the way: git commit --author 'Your Name <your.name@domain.com>' does the same thing but is much easier to remember. And it's far from the only thing you can mess with, take for example this neat little script I use to make commits "in the future":

#!/bin/sh
DATE="$1"; shift 1
export GIT_AUTHOR_DATE=$(date +%s -d "$DATE")
export GIT_COMMITTER_DATE=$GIT_AUTHOR_DATE
git "$@"

Just put that script in your path as git-timeshift and you can call it as git timeshift "+3 hours" commit to commit something with a timestamp 3 hours in the future. Why you might want to do this, I'll leave to your imagination.

[martiliones]

Thank you for your comment!

You can also make commit in the past. There is Anthony Fu's script to make commit in 1990 github.com/antfu/1990-script

[Raí B. Toffoletto]

I always thought it would take contributors from the PRs history ... if it takes from the git logs that's is a problem. As everyone said, proper signing is the way to go, because the simplicity in Gits logs is there in case you are using it as an internal tool, where only people in your workgroup have access to it and assumes you trust everyone.

Did you expose that to the github team???

[𒎏Wii 🏳️‍⚧️]

I'm pretty sure the github team has known this since the first day and don't need any well-meaning users pointing it out to them :D

[Dan Bamikiya]

Smart! I saw linus torvalds contribution to a trivial repo the other day and I wondered how and why in the world he would do so. This explains it 😂😂

[Vincent A. Cicirello]

You don't actually need their email address. It will work with the GitHub noreply address that every user has, so all you need is their user id which is public.

[Himanshu Chandola]

Not working for me.

[martiliones]

What exactly could you not do? Enter git log, you should see something like Author: Name <email@example.com>

[martiliones]

you first need to change something in your project and register changed files to create a commit, using git add ., then you can enter command from article and "push" changes with git push -u origin master command. Hope I helped you :)