This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The reason will be displayed to describe this comment to others. Learn more.
This kinda crap is why github is not an appropriate place for real-world projects, Security, enforcement and OPSEC at an all-time low across the board.
The reason will be displayed to describe this comment to others. Learn more.
This is equivalent to email spoofing. Another one of a multitude of reasons Github could support and verify GPG signed commits and tags, and permit repos to optionally reject unsigned commits.
The reason will be displayed to describe this comment to others. Learn more.
@steakknife honestly it seems that GitHub totally lost a momentum. A lot of features, and enhancements random people are constantly whining about (IPv6 for example) yet to be implemented. There is no visible issue tracker for that. It's just not possible to ask GH staff for anything technical. I'm afraid with @mojombo's retirement GitHub become stagnant. The only (and quite big btw) valuable asset left intact of GitHub is people but who knows for how long.
The reason will be displayed to describe this comment to others. Learn more.
@Davorak: Who pushed it doesn't reflect who authored or committed it anyway. Note that I can push a repo with commits done by anybody else.
@hobarrera - I was/am aware, my main point was unlike the the author of the commit, to my knowledge, it is not possible to spoof the login of the pusher given by the events api. So when using github and without additional signing a logical step is to hold those who push code to a repo responsible for any negative consequences regardless what the author information says, barring a some exceptions.
The reason will be displayed to describe this comment to others. Learn more.
Just now I checked the https://github.com/torvalds/linux/commits/master and saw that even Linus is not signing his commits. Is it not a thing yet even after 1.5 years since Github started supporting signed commits?
The reason will be displayed to describe this comment to others. Learn more.
Linus doesn't use GitHub, so he has probably never uploaded his key.
Signing commits has been also around for much longer (v1.7.9) than GitHub has added support for it.
Years before commit signing was possible, Linus said:
Btw, there's a final reason, and probably the really real one. Signingeach commit is totally stupid. It just means that you automate it, and youmake the signature worth less. It also doesn't add any real value, sincethe way the git DAG-chain of SHA1's work, you only ever need _one_signature to make all the commits reachable from that one be effectivelycovered by that one. So signing each commit is simply missing the point.
IOW, you don't ever have a reason to sign anythign but the "tip". Theonly exception is the "go back and re-sign", but that's the one thatrequires external signatures anyway.
So be happy with 'git tag -s'. It really is the right way.
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
WOWOWOWOWW
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm GIT and I find it offensive. GIT IT?
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm actually a wallaby
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems like github should probably distinguish between signed and non-signed commits.
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
like duh
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
eat💩
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ヽ༼ຈل͜ຈ༽ノ
DONGLES
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sweet. He even signs off if you ask him nicely.
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can't believe it
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wat
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nothing to say
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can do more fun things: jomo@c616eff
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can use github's api to identify out who pushed a commit:
Currently the event in question is on page 3 so you can use:
https://api.github.com/repos/amoffat/masquerade/events?page=3
It i will roll to further pages as new events come in.
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice.
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This kinda crap is why github is not an appropriate place for real-world projects, Security, enforcement and OPSEC at an all-time low across the board.
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Two billion dollars
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
torvalds/linux#17
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Linus is gonna be mad😃
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Davorak: Who pushed it doesn't reflect who authored or committed it anyway. Note that I can push a repo with commits done by anybody else.
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
interesting, but no suprise, I believe it will be fixed soon.
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is equivalent to email spoofing. Another one of a multitude of reasons Github could support and verify GPG signed commits and tags, and permit repos to optionally reject unsigned commits.
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1 more reason for Linus for ditching/undermining Github
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@steakknife honestly it seems that GitHub totally lost a momentum. A lot of features, and enhancements random people are constantly whining about (IPv6 for example) yet to be implemented. There is no visible issue tracker for that. It's just not possible to ask GH staff for anything technical. I'm afraid with @mojombo's retirement GitHub become stagnant. The only (and quite big btw) valuable asset left intact of GitHub is people but who knows for how long.
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Such clever.
Very hack.
Wow.
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wish everyone here would stop whinging and learn how to use gpg to sign tags (thusly history). https://git-scm.com/book/tr/v2/Git-Tools-Signing-Your-Work
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Spaceghost me too. I don't understand why GitHub never pushed for that ?
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, the irony http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td2582986.html (see why Linus thinks that GnuPG-signed commits are a bad idea)
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hobarrera - I was/am aware, my main point was unlike the the author of the commit, to my knowledge, it is not possible to spoof the login of the pusher given by the events api. So when using github and without additional signing a logical step is to hold those who push code to a repo responsible for any negative consequences regardless what the author information says, barring a some exceptions.
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://github.com/blog/2144-gpg-signature-verification
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just now I checked the https://github.com/torvalds/linux/commits/master and saw that even Linus is not signing his commits. Is it not a thing yet even after 1.5 years since Github started supporting signed commits?
9b05625There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Linus doesn't use GitHub, so he has probably never uploaded his key.
Signing commits has been also around for much longer (v1.7.9) than GitHub has added support for it.
Years before commit signing was possible, Linus said: