Permalink
Browse files

Enjoy!

  • Loading branch information...
torvalds committed Aug 4, 2015
0 parents commit 9b0562595cc479ac8696110cb0a2d33f8f2b7d29
Showing with 10 additions and 0 deletions.
  1. +10 −0 README.md
@@ -0,0 +1,10 @@
Instructions on masquerading as other users in git:
```bash
export GIT_AUTHOR_NAME="Linus Torvalds"
export GIT_AUTHOR_EMAIL="torvalds@linux-foundation.org"
export GIT_COMMITTER_NAME="$GIT_AUTHOR_NAME"
export GIT_COMMITTER_EMAIL="$GIT_AUTHOR_EMAIL"
git commit -m "Enjoy!"
```

34 comments on commit 9b05625

@androm3da

This comment has been minimized.

androm3da replied Aug 4, 2015

WOWOWOWOWW

@giacgbj

This comment has been minimized.

giacgbj replied Aug 4, 2015

I'm GIT and I find it offensive. GIT IT?

@robotnoises

This comment has been minimized.

robotnoises replied Aug 4, 2015

I'm actually a wallaby

@uxcn

This comment has been minimized.

uxcn replied Aug 4, 2015

It seems like github should probably distinguish between signed and non-signed commits.

@estrabd

This comment has been minimized.

estrabd replied Aug 4, 2015

like duh

@hilios

This comment has been minimized.

hilios replied Aug 4, 2015

eat 💩

@paulanunda

This comment has been minimized.

paulanunda replied Aug 4, 2015

ヽ༼ຈل͜ຈ༽ノ

DONGLES

@stephen-mw

This comment has been minimized.

stephen-mw replied Aug 4, 2015

Sweet. He even signs off if you ask him nicely.

@crisdpa

This comment has been minimized.

crisdpa replied Aug 4, 2015

Can't believe it

@BelfordZ

This comment has been minimized.

BelfordZ replied Aug 4, 2015

wat

@gaapt

This comment has been minimized.

gaapt replied Aug 4, 2015

nothing to say

@warmwaffles

This comment has been minimized.

warmwaffles replied Aug 4, 2015

linus

@jomo

This comment has been minimized.

jomo replied Aug 4, 2015

You can do more fun things: jomo@c616eff

screenshot

@Davorak

This comment has been minimized.

Davorak replied Aug 4, 2015

You can use github's api to identify out who pushed a commit:

Currently the event in question is on page 3 so you can use:
https://api.github.com/repos/amoffat/masquerade/events?page=3

It i will roll to further pages as new events come in.

{
    "id": "3030685599",
    "type": "PushEvent",
    "actor": {
      "id": 259113,
      "login": "amoffat",
      "gravatar_id": "",
      "url": "https://api.github.com/users/amoffat",
      "avatar_url": "https://avatars.githubusercontent.com/u/259113?"
    },
    "repo": {
      "id": 40194425,
      "name": "amoffat/masquerade",
      "url": "https://api.github.com/repos/amoffat/masquerade"
    },
    "payload": {
      "push_id": 747582733,
      "size": 1,
      "distinct_size": 1,
      "ref": "refs/heads/master",
      "head": "9b0562595cc479ac8696110cb0a2d33f8f2b7d29",
      "before": "2ff8c2e08b0be167a6794a1a03b7a41f0c459141",
      "commits": [
        {
          "sha": "9b0562595cc479ac8696110cb0a2d33f8f2b7d29",
          "author": {
            "email": "torvalds@linux-foundation.org",
            "name": "Linus Torvalds"
          },
          "message": "Enjoy!",
          "distinct": true,
          "url": "https://api.github.com/repos/amoffat/masquerade/commits/9b0562595cc479ac8696110cb0a2d33f8f2b7d29"
        }
      ]
    },
    "public": true,
    "created_at": "2015-08-04T18:44:26Z"
  },
@psychocandy

This comment has been minimized.

psychocandy replied Aug 4, 2015

nice.

@logicrime

This comment has been minimized.

logicrime replied Aug 4, 2015

This kinda crap is why github is not an appropriate place for real-world projects, Security, enforcement and OPSEC at an all-time low across the board.

@formans

This comment has been minimized.

formans replied Aug 4, 2015

Two billion dollars

@romi-h

This comment has been minimized.

romi-h replied Aug 4, 2015

@andreyhsiao

This comment has been minimized.

andreyhsiao replied Aug 5, 2015

Linus is gonna be mad 😃

@WhyNotHugo

This comment has been minimized.

WhyNotHugo replied Aug 5, 2015

@Davorak: Who pushed it doesn't reflect who authored or committed it anyway. Note that I can push a repo with commits done by anybody else.

@helloweishi

This comment has been minimized.

helloweishi replied Aug 5, 2015

interesting, but no suprise, I believe it will be fixed soon.

@steakknife

This comment has been minimized.

steakknife replied Aug 5, 2015

This is equivalent to email spoofing. Another one of a multitude of reasons Github could support and verify GPG signed commits and tags, and permit repos to optionally reject unsigned commits.

@zenyr

This comment has been minimized.

zenyr replied Aug 5, 2015

1 more reason for Linus for ditching/undermining Github

@lemenkov

This comment has been minimized.

lemenkov replied Aug 5, 2015

@steakknife honestly it seems that GitHub totally lost a momentum. A lot of features, and enhancements random people are constantly whining about (IPv6 for example) yet to be implemented. There is no visible issue tracker for that. It's just not possible to ask GH staff for anything technical. I'm afraid with @mojombo's retirement GitHub become stagnant. The only (and quite big btw) valuable asset left intact of GitHub is people but who knows for how long.

@mvasilkov

This comment has been minimized.

mvasilkov replied Aug 5, 2015

Such clever.
Very hack.
Wow.

@Spaceghost

This comment has been minimized.

Spaceghost replied Aug 5, 2015

I wish everyone here would stop whinging and learn how to use gpg to sign tags (thusly history). https://git-scm.com/book/tr/v2/Git-Tools-Signing-Your-Work

@paulRbr

This comment has been minimized.

paulRbr replied Aug 5, 2015

@Spaceghost me too. I don't understand why GitHub never pushed for that ?

@hugoroy

This comment has been minimized.

hugoroy replied Aug 5, 2015

Oh, the irony http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td2582986.html (see why Linus thinks that GnuPG-signed commits are a bad idea)

@Spaceghost

This comment has been minimized.

Spaceghost replied Aug 5, 2015

@Davorak

This comment has been minimized.

Davorak replied Aug 5, 2015

@Davorak: Who pushed it doesn't reflect who authored or committed it anyway. Note that I can push a repo with commits done by anybody else.

@hobarrera - I was/am aware, my main point was unlike the the author of the commit, to my knowledge, it is not possible to spoof the login of the pusher given by the events api. So when using github and without additional signing a logical step is to hold those who push code to a repo responsible for any negative consequences regardless what the author information says, barring a some exceptions.

@arronmabrey

This comment has been minimized.

arronmabrey replied Aug 5, 2015

658

@graingert

This comment has been minimized.

@josephjoice

This comment has been minimized.

josephjoice replied Oct 25, 2017

Just now I checked the https://github.com/torvalds/linux/commits/master and saw that even Linus is not signing his commits. Is it not a thing yet even after 1.5 years since Github started supporting signed commits?

@jomo

This comment has been minimized.

jomo replied Oct 25, 2017

Linus doesn't use GitHub, so he has probably never uploaded his key.

Signing commits has been also around for much longer (v1.7.9) than GitHub has added support for it.

Years before commit signing was possible, Linus said:

Btw, there's a final reason, and probably the really real one. Signingeach commit is totally stupid. It just means that you automate it, and youmake the signature worth less. It also doesn't add any real value, sincethe way the git DAG-chain of SHA1's work, you only ever need _one_signature to make all the commits reachable from that one be effectivelycovered by that one. So signing each commit is simply missing the point.

IOW, you don't ever have a reason to sign anythign but the "tip". Theonly exception is the "go back and re-sign", but that's the one thatrequires external signatures anyway.

So be happy with 'git tag -s'. It really is the right way.

Please sign in to comment.