Permalink
34 comments
on commit
sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
@@ -0,0 +1,10 @@ | ||
Instructions on masquerading as other users in git: | ||
|
||
```bash | ||
export GIT_AUTHOR_NAME="Linus Torvalds" | ||
export GIT_AUTHOR_EMAIL="torvalds@linux-foundation.org" | ||
export GIT_COMMITTER_NAME="$GIT_AUTHOR_NAME" | ||
export GIT_COMMITTER_EMAIL="$GIT_AUTHOR_EMAIL" | ||
git commit -m "Enjoy!" | ||
``` |
This comment has been minimized.
WOWOWOWOWW
This comment has been minimized.
I'm GIT and I find it offensive. GIT IT?
This comment has been minimized.
I'm actually a wallaby
This comment has been minimized.
It seems like github should probably distinguish between signed and non-signed commits.
This comment has been minimized.
like duh
This comment has been minimized.
eat💩
This comment has been minimized.
ヽ༼ຈل͜ຈ༽ノ
DONGLES
This comment has been minimized.
Sweet. He even signs off if you ask him nicely.
This comment has been minimized.
Can't believe it
This comment has been minimized.
wat
This comment has been minimized.
nothing to say
This comment has been minimized.
This comment has been minimized.
You can do more fun things: jomo@c616eff
This comment has been minimized.
You can use github's api to identify out who pushed a commit:
Currently the event in question is on page 3 so you can use:
https://api.github.com/repos/amoffat/masquerade/events?page=3
It i will roll to further pages as new events come in.
This comment has been minimized.
nice.
This comment has been minimized.
This kinda crap is why github is not an appropriate place for real-world projects, Security, enforcement and OPSEC at an all-time low across the board.
This comment has been minimized.
Two billion dollars
This comment has been minimized.
torvalds/linux#17
This comment has been minimized.
Linus is gonna be mad😃
This comment has been minimized.
@Davorak: Who pushed it doesn't reflect who authored or committed it anyway. Note that I can push a repo with commits done by anybody else.
This comment has been minimized.
interesting, but no suprise, I believe it will be fixed soon.
This comment has been minimized.
This is equivalent to email spoofing. Another one of a multitude of reasons Github could support and verify GPG signed commits and tags, and permit repos to optionally reject unsigned commits.
This comment has been minimized.
1 more reason for Linus for ditching/undermining Github
This comment has been minimized.
@steakknife honestly it seems that GitHub totally lost a momentum. A lot of features, and enhancements random people are constantly whining about (IPv6 for example) yet to be implemented. There is no visible issue tracker for that. It's just not possible to ask GH staff for anything technical. I'm afraid with @mojombo's retirement GitHub become stagnant. The only (and quite big btw) valuable asset left intact of GitHub is people but who knows for how long.
This comment has been minimized.
Such clever.
Very hack.
Wow.
This comment has been minimized.
I wish everyone here would stop whinging and learn how to use gpg to sign tags (thusly history). https://git-scm.com/book/tr/v2/Git-Tools-Signing-Your-Work
This comment has been minimized.
@Spaceghost me too. I don't understand why GitHub never pushed for that ?
This comment has been minimized.
Oh, the irony http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td2582986.html (see why Linus thinks that GnuPG-signed commits are a bad idea)
This comment has been minimized.
This comment has been minimized.
@hobarrera - I was/am aware, my main point was unlike the the author of the commit, to my knowledge, it is not possible to spoof the login of the pusher given by the events api. So when using github and without additional signing a logical step is to hold those who push code to a repo responsible for any negative consequences regardless what the author information says, barring a some exceptions.
This comment has been minimized.
This comment has been minimized.
https://github.com/blog/2144-gpg-signature-verification
This comment has been minimized.
Just now I checked the https://github.com/torvalds/linux/commits/master and saw that even Linus is not signing his commits. Is it not a thing yet even after 1.5 years since Github started supporting signed commits?
This comment has been minimized.
Linus doesn't use GitHub, so he has probably never uploaded his key.
Signing commits has been also around for much longer (v1.7.9) than GitHub has added support for it.
Years before commit signing was possible, Linus said: