Enjoy! · amoffat/masquerade@9b05625

Instructions on masquerading as other users in git:

export GIT_AUTHOR_NAME="Linus Torvalds"
export GIT_AUTHOR_EMAIL="torvalds@linux-foundation.org"
export GIT_COMMITTER_NAME="$GIT_AUTHOR_NAME"
export GIT_COMMITTER_EMAIL="$GIT_AUTHOR_EMAIL"

git commit -m "Enjoy!"

androm3da · Aug 4, 2015

WOWOWOWOWW

giacgbj · Aug 4, 2015

I'm GIT and I find it offensive. GIT IT?

robotnoises · Aug 4, 2015

I'm actually a wallaby

uxcn · Aug 4, 2015

It seems like github should probably distinguish between signed and non-signed commits.

estrabd · Aug 4, 2015

like duh

hilios · Aug 4, 2015

eat 💩

paulanunda · Aug 4, 2015

ヽ༼ຈل͜ຈ༽ﾉ

DONGLES

stephen-mw · Aug 4, 2015

Sweet. He even signs off if you ask him nicely.

crisdpa · Aug 4, 2015

Can't believe it

BelfordZ · Aug 4, 2015

wat

gaapt · Aug 4, 2015

nothing to say

warmwaffles · Aug 4, 2015

jomo · Aug 4, 2015

You can do more fun things: jomo@c616eff

Davorak · Aug 4, 2015

You can use github's api to identify out who pushed a commit:

Currently the event in question is on page 3 so you can use:
https://api.github.com/repos/amoffat/masquerade/events?page=3

It i will roll to further pages as new events come in.

{
    "id": "3030685599",
    "type": "PushEvent",
    "actor": {
      "id": 259113,
      "login": "amoffat",
      "gravatar_id": "",
      "url": "https://api.github.com/users/amoffat",
      "avatar_url": "https://avatars.githubusercontent.com/u/259113?"
    },
    "repo": {
      "id": 40194425,
      "name": "amoffat/masquerade",
      "url": "https://api.github.com/repos/amoffat/masquerade"
    },
    "payload": {
      "push_id": 747582733,
      "size": 1,
      "distinct_size": 1,
      "ref": "refs/heads/master",
      "head": "9b0562595cc479ac8696110cb0a2d33f8f2b7d29",
      "before": "2ff8c2e08b0be167a6794a1a03b7a41f0c459141",
      "commits": [
        {
          "sha": "9b0562595cc479ac8696110cb0a2d33f8f2b7d29",
          "author": {
            "email": "torvalds@linux-foundation.org",
            "name": "Linus Torvalds"
          },
          "message": "Enjoy!",
          "distinct": true,
          "url": "https://api.github.com/repos/amoffat/masquerade/commits/9b0562595cc479ac8696110cb0a2d33f8f2b7d29"
        }
      ]
    },
    "public": true,
    "created_at": "2015-08-04T18:44:26Z"
  },

psychocandy · Aug 4, 2015

nice.

logicrime · Aug 4, 2015

This kinda crap is why github is not an appropriate place for real-world projects, Security, enforcement and OPSEC at an all-time low across the board.

formans · Aug 4, 2015

Two billion dollars

romi-h · Aug 4, 2015

torvalds/linux#17

andreyhsiao · Aug 5, 2015

Linus is gonna be mad 😃

WhyNotHugo · Aug 5, 2015

@Davorak: Who pushed it doesn't reflect who authored or committed it anyway. Note that I can push a repo with commits done by anybody else.

helloweishi · Aug 5, 2015

interesting, but no suprise, I believe it will be fixed soon.

steakknife · Aug 5, 2015

This is equivalent to email spoofing. Another one of a multitude of reasons Github could support and verify GPG signed commits and tags, and permit repos to optionally reject unsigned commits.

zenyr · Aug 5, 2015

1 more reason for Linus for ditching/undermining Github

lemenkov · Aug 5, 2015

@steakknife honestly it seems that GitHub totally lost a momentum. A lot of features, and enhancements random people are constantly whining about (IPv6 for example) yet to be implemented. There is no visible issue tracker for that. It's just not possible to ask GH staff for anything technical. I'm afraid with @mojombo's retirement GitHub become stagnant. The only (and quite big btw) valuable asset left intact of GitHub is people but who knows for how long.

mvasilkov · Aug 5, 2015

Such clever.
Very hack.
Wow.

Spaceghost · Aug 5, 2015

I wish everyone here would stop whinging and learn how to use gpg to sign tags (thusly history). https://git-scm.com/book/tr/v2/Git-Tools-Signing-Your-Work

paulRbr · Aug 5, 2015

@Spaceghost me too. I don't understand why GitHub never pushed for that ?

hugoroy · Aug 5, 2015

Oh, the irony http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td2582986.html (see why Linus thinks that GnuPG-signed commits are a bad idea)

Spaceghost · Aug 5, 2015

I sign tags, which I believe are in line with the Torvaldian Way.

…

On Aug 5, 2015 4:20 AM, "Hugo Roy" ***@***.*** wrote: Oh, the irony http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td2582986.html (see why Linus thinks that GnuPG-signed commits are a bad idea) — Reply to this email directly or view it on GitHub 9b05625#commitcomment-12538046 .

Davorak · Aug 5, 2015

@Davorak: Who pushed it doesn't reflect who authored or committed it anyway. Note that I can push a repo with commits done by anybody else.

@hobarrera - I was/am aware, my main point was unlike the the author of the commit, to my knowledge, it is not possible to spoof the login of the pusher given by the events api. So when using github and without additional signing a logical step is to hold those who push code to a repo responsible for any negative consequences regardless what the author information says, barring a some exceptions.

arronmabrey · Aug 5, 2015

graingert · Apr 6, 2016

https://github.com/blog/2144-gpg-signature-verification

josephjoice · Oct 25, 2017

Just now I checked the https://github.com/torvalds/linux/commits/master and saw that even Linus is not signing his commits. Is it not a thing yet even after 1.5 years since Github started supporting signed commits?

jomo · Oct 25, 2017

Linus doesn't use GitHub, so he has probably never uploaded his key.

Signing commits has been also around for much longer (v1.7.9) than GitHub has added support for it.

Years before commit signing was possible, Linus said:

Btw, there's a final reason, and probably the really real one. Signingeach commit is totally stupid. It just means that you automate it, and youmake the signature worth less. It also doesn't add any real value, sincethe way the git DAG-chain of SHA1's work, you only ever need _one_signature to make all the commits reachable from that one be effectivelycovered by that one. So signing each commit is simply missing the point.

IOW, you don't ever have a reason to sign anythign but the "tip". Theonly exception is the "go back and re-sign", but that's the one thatrequires external signatures anyway.

So be happy with 'git tag -s'. It really is the right way.

amoffat/masquerade

34 comments on commit 9b05625

This comment has been minimized.

androm3da replied Aug 4, 2015

This comment has been minimized.

giacgbj replied Aug 4, 2015

This comment has been minimized.

robotnoises replied Aug 4, 2015

This comment has been minimized.

uxcn replied Aug 4, 2015

This comment has been minimized.

estrabd replied Aug 4, 2015

This comment has been minimized.

hilios replied Aug 4, 2015

This comment has been minimized.

paulanunda replied Aug 4, 2015

This comment has been minimized.

stephen-mw replied Aug 4, 2015

This comment has been minimized.

crisdpa replied Aug 4, 2015

This comment has been minimized.

BelfordZ replied Aug 4, 2015

This comment has been minimized.

gaapt replied Aug 4, 2015

This comment has been minimized.

warmwaffles replied Aug 4, 2015

This comment has been minimized.

jomo replied Aug 4, 2015

This comment has been minimized.

Davorak replied Aug 4, 2015

This comment has been minimized.

psychocandy replied Aug 4, 2015

This comment has been minimized.

logicrime replied Aug 4, 2015

This comment has been minimized.

formans replied Aug 4, 2015

This comment has been minimized.

romi-h replied Aug 4, 2015

This comment has been minimized.

andreyhsiao replied Aug 5, 2015

This comment has been minimized.

WhyNotHugo replied Aug 5, 2015

This comment has been minimized.

helloweishi replied Aug 5, 2015

This comment has been minimized.

steakknife replied Aug 5, 2015

This comment has been minimized.

zenyr replied Aug 5, 2015

This comment has been minimized.

lemenkov replied Aug 5, 2015

This comment has been minimized.

mvasilkov replied Aug 5, 2015

This comment has been minimized.

Spaceghost replied Aug 5, 2015

This comment has been minimized.

paulRbr replied Aug 5, 2015

This comment has been minimized.

hugoroy replied Aug 5, 2015

This comment has been minimized.

Spaceghost replied Aug 5, 2015

This comment has been minimized.

Davorak replied Aug 5, 2015

This comment has been minimized.

arronmabrey replied Aug 5, 2015

This comment has been minimized.

graingert replied Apr 6, 2016

This comment has been minimized.

josephjoice replied Oct 25, 2017

This comment has been minimized.

jomo replied Oct 25, 2017

34 comments on commit `9b05625`