DEV Community

Cover image for How I got Linus Torvalds in my contributors on GitHub

How I got Linus Torvalds in my contributors on GitHub

martiliones on August 25, 2021

Before starting, you can see for yourself by clicking on the link → https://github.com/martiliones/icon-set-creator * don't forget to star project...
Collapse
 
chuniversiteit profile image
Chun Fei Lung

It’s kind of a feature, but still a good find! 😄

Also a good example of why you should sign your commits.

Collapse
 
paramsiddharth profile image
Param Siddharth

Don't worry, impersonation is not possible because of commit signing using GPG keys and signing off. GitHub includes a special mechanism called vigilant mode to enable that, but trust me, you don't even need that. The "Trusted" label on each signed commit is the sole authenticity.

Collapse
 
martiliones profile image
martiliones • Edited

Linking to your GitHub profile in the commits and contributors is impersonating, isn't it? There is no verified label in the contributor list

Collapse
 
paramsiddharth profile image
Param Siddharth

Hmmm… Yes, no verified label in the contributors' list. But there will definitely be an unverified label in the commits if the person who is being impersonated has turned on vigilant mode. Also, in any legal processing, such commits would be deemed untrusted, because they won't be signed by the private key of the actual person.

That's why I recommend signing all commits.

Thread Thread
 
darkwiiplayer profile image
𒎏Wii 🏳️‍⚧️

What's more, it's why you should require contributors to sign any commit that's of actual legal interest, aka. any non-trivial contribution to an open source repository, so you can prove they willingly submitted their code to the repository knowing the license as well as having someone to blame if it turns out they stole the code :D

Collapse
 
bearove profile image
BearOve

This is how git works and how it has to work. Your authentication is only about write access or not. When you collaborate and merge between branches and many contributors you include other peoples commits all the time. This is by design and is well known. Changing this would require github to not be a compliant git server anymore.

Collapse
 
bearove profile image
BearOve

With that said, I guess they could make it harder to add people to the contributor list. Maybe a user could have an option like "I always sign my commits" and then only signed commits would apply for that user?

Collapse
 
bearove profile image
BearOve

Also, this reminded me a long-standing todo of adding gpg code signing to all my dev environments and I did it now together with vigilant mode as mentioned elsewhere.

Thread Thread
 
darkwiiplayer profile image
𒎏Wii 🏳️‍⚧️

I also just turned on vigilant mode. I'd still like to see a more aggressive "if it ain't signed, it ain't mine" checkbox though. I'll sign everything that isn't a non-trivial change and, if I don't, I often even re-commit on my desktop later on so the commit gets its signature.

Thread Thread
 
bearove profile image
BearOve

I suspect it is complicated to do for edge cases though. Let's say you contributed unsigned and with your email 10 years ago in som git repo currently not on github, and then it is imported now. Then the import would fail and the owner of the repo would not be able to fix it without breaking everyone elses commits

Thread Thread
 
darkwiiplayer profile image
𒎏Wii 🏳️‍⚧️

The import doesn't need to fail, it just needs to communicate clearly that the contributor isn't confirmed; maybe by leaving the username greyed out with an "unconfirmed" warning right next to it.

Thread Thread
 
bearove profile image
BearOve

But then it is basically the same as today, except for the greying out?

Thread Thread
 
darkwiiplayer profile image
𒎏Wii 🏳️‍⚧️

Does it already mark unverified contributors? I've never seen that happen on github.

Thread Thread
 
bearove profile image
BearOve • Edited

Because very few enable vigilant mode I guess. Here is one made by me before I started signing my commits

Thread Thread
 
darkwiiplayer profile image
𒎏Wii 🏳️‍⚧️

My point is, when I enable vigilant mode, I don't want to show up in any contributor list unless at least one commit on that repository is signed, or at least only appear greyed out or something.

Thread Thread
 
bearove profile image
BearOve

Of course, agreed

Thread Thread
 
grizzlysmit profile image
Francis Grizzly Smit

how do you turn on vigilant mode I cannot find it.

Thread Thread
 
grizzlysmit profile image
Francis Grizzly Smit

worked it out

Collapse
 
judicael profile image
JudicaelD

As many junior tech you should quickly learn the difference between :

  • It's technically possible.
  • Oh I shall do that, expose it publicly and make an article about it.

You could get sued for ID fraud, even the most basic.

Collapse
 
darkwiiplayer profile image
𒎏Wii 🏳️‍⚧️

You could get sued, but nobody would ever bother, much less if you impersonate someone in another country.

Collapse
 
martiliones profile image
martiliones

Thanks for sharing your opinion!

Collapse
 
bra1l0r profile image
Pietro T.

this is literally what signed commits are for.

Collapse
 
darkwiiplayer profile image
𒎏Wii 🏳️‍⚧️ • Edited

I think GitHub should fix this bug to prevent attacks on profiles

This is neither a bug, nor is it easy to "fix". The solution is to use the right tool for the job and sign your commits.


Oh and by the way: git commit --author 'Your Name <your.name@domain.com>' does the same thing but is much easier to remember. And it's far from the only thing you can mess with, take for example this neat little script I use to make commits "in the future":

#!/bin/sh
DATE="$1"; shift 1
export GIT_AUTHOR_DATE=$(date +%s -d "$DATE")
export GIT_COMMITTER_DATE=$GIT_AUTHOR_DATE
git "$@"
Enter fullscreen mode Exit fullscreen mode

Just put that script in your path as git-timeshift and you can call it as git timeshift "+3 hours" commit to commit something with a timestamp 3 hours in the future. Why you might want to do this, I'll leave to your imagination.

Collapse
 
martiliones profile image
martiliones • Edited

Thank you for your comment!

You can also make commit in the past. There is Anthony Fu's script to make commit in 1990 github.com/antfu/1990-script

Collapse
 
raibtoffoletto profile image
Raí B. Toffoletto • Edited

I always thought it would take contributors from the PRs history ... if it takes from the git logs that's is a problem. As everyone said, proper signing is the way to go, because the simplicity in Gits logs is there in case you are using it as an internal tool, where only people in your workgroup have access to it and assumes you trust everyone.

Did you expose that to the github team???

Collapse
 
darkwiiplayer profile image
𒎏Wii 🏳️‍⚧️

I'm pretty sure the github team has known this since the first day and don't need any well-meaning users pointing it out to them :D

Collapse
 
danbmky profile image
Dan Bamikiya

Smart! I saw linus torvalds contribution to a trivial repo the other day and I wondered how and why in the world he would do so. This explains it 😂😂

Collapse
 
cicirello profile image
Vincent A. Cicirello

You don't actually need their email address. It will work with the GitHub noreply address that every user has, so all you need is their user id which is public.

Collapse
 
himanshuchandola profile image
Himanshu Chandola

Not working for me.

Collapse
 
martiliones profile image
martiliones • Edited

What exactly could you not do? Enter git log, you should see something like Author: Name <email@example.com>

Collapse
 
Sloan, the sloth mascot
Comment deleted
 
martiliones profile image
martiliones

you first need to change something in your project and register changed files to create a commit, using git add ., then you can enter command from article and "push" changes with git push -u origin master command. Hope I helped you :)

Collapse
 
owenmelbz profile image
Owen Melbourne

This has been solved by using GPG keys for a while now, it is a completely opt-in system which developers can attach their signature to a commit which will show as it being verified, this stops others just using any email address, or it will show as them BUT it will contain an unverified icon - docs.github.com/en/github/authenti...

Collapse
 
lexplt profile image
Alexandre Plt

You can sort of prevent it by signing your commits with a gpg key :)

Collapse
 
aatmaj profile image
Aatmaj

Superb!

Collapse
 
netplayer profile image
NetPlayer

Linus will actually contribute as soon he finds out, if he really is still the reverse engineer that was back when he started it all.
Kudos , to the op. In a world we hardly can invent something on our own,we owe to exploit what's already there at least.