DEV Community

Discussion on: How I got Linus Torvalds in my contributors on GitHub

Collapse
paramsiddharth profile image
Param Siddharth

Don't worry, impersonation is not possible because of commit signing using GPG keys and signing off. GitHub includes a special mechanism called vigilant mode to enable that, but trust me, you don't even need that. The "Trusted" label on each signed commit is the sole authenticity.

Collapse
martiliones profile image
martiliones Author • Edited on

Linking to your GitHub profile in the commits and contributors is impersonating, isn't it? There is no verified label in the contributor list

Collapse
paramsiddharth profile image
Param Siddharth

Hmmm… Yes, no verified label in the contributors' list. But there will definitely be an unverified label in the commits if the person who is being impersonated has turned on vigilant mode. Also, in any legal processing, such commits would be deemed untrusted, because they won't be signed by the private key of the actual person.

That's why I recommend signing all commits.

Thread Thread
darkwiiplayer profile image
𒊩Wii 💖💛💚💙💜💝💟

What's more, it's why you should require contributors to sign any commit that's of actual legal interest, aka. any non-trivial contribution to an open source repository, so you can prove they willingly submitted their code to the repository knowing the license as well as having someone to blame if it turns out they stole the code :D