DEV Community

Cover image for How I got Linus Torvalds in my contributors on GitHub
martiliones
martiliones

Posted on

How I got Linus Torvalds in my contributors on GitHub

Before starting, you can see for yourself by clicking on the link → https://github.com/martiliones/icon-set-creator

* don't forget to star project if you like it :)

Idea

One day I wondered why my commits were not showing up in the activity overview. I googled and found on StackOverflow that GitHub uses your git email to link to the profile instead of the authentication data. So I thought that maybe I can change git email to get a commit from another user without his participation

Realisation

First of all, you need to get e-mail address of a target user. At first my idea was to get the email address from the user's git repository, but then I found that I could use the GitHub API to get it. Here is the GET API method you can run in your browser

https://api.github.com/users/REPLACE_WITH_USERNAME/events/public
Enter fullscreen mode Exit fullscreen mode

You will get list of user events and you can easily find e-mail with search box in your browser (ctrl + F in most browsers, or if "Filter JSON" for Firefox)

Once we get the email address, we can create a commit:

git -c user.name='Linus Torvalds' -c user.email='torvalds@linux-foundation.org' commit -m "JavaScript is my favorite language 💕"
Enter fullscreen mode Exit fullscreen mode

To display your commits in target user Activity Overview at least one of the following must be true:

  • User is a collaborator on the repository or are a member of the organization that owns the repository.
  • User have forked the repository.
  • User have opened a pull request or issue in the repository.
  • User have starred the repository.

Results

You can do this with anyone as long as you have a user's email address.

Linus Torvalds commit

Contributors Graph

Conclusion

I think GitHub should fix this bug to prevent attacks on profiles. If the target user starred your repository, you can draw something in his Activity Overview as example

Thank you for your time. Share your opinion about it in the comments 👇

Discussion (37)

Collapse
chuniversiteit profile image
Chun Fei Lung

It’s kind of a feature, but still a good find! 😄

Also a good example of why you should sign your commits.

Collapse
bearove profile image
BearOve

This is how git works and how it has to work. Your authentication is only about write access or not. When you collaborate and merge between branches and many contributors you include other peoples commits all the time. This is by design and is well known. Changing this would require github to not be a compliant git server anymore.

Collapse
bearove profile image
BearOve

With that said, I guess they could make it harder to add people to the contributor list. Maybe a user could have an option like "I always sign my commits" and then only signed commits would apply for that user?

Collapse
bearove profile image
BearOve

Also, this reminded me a long-standing todo of adding gpg code signing to all my dev environments and I did it now together with vigilant mode as mentioned elsewhere.

Thread Thread
darkwiiplayer profile image
DarkWiiPlayer

I also just turned on vigilant mode. I'd still like to see a more aggressive "if it ain't signed, it ain't mine" checkbox though. I'll sign everything that isn't a non-trivial change and, if I don't, I often even re-commit on my desktop later on so the commit gets its signature.

Thread Thread
bearove profile image
BearOve

I suspect it is complicated to do for edge cases though. Let's say you contributed unsigned and with your email 10 years ago in som git repo currently not on github, and then it is imported now. Then the import would fail and the owner of the repo would not be able to fix it without breaking everyone elses commits

Thread Thread
darkwiiplayer profile image
DarkWiiPlayer

The import doesn't need to fail, it just needs to communicate clearly that the contributor isn't confirmed; maybe by leaving the username greyed out with an "unconfirmed" warning right next to it.

Thread Thread
bearove profile image
BearOve

But then it is basically the same as today, except for the greying out?

Thread Thread
darkwiiplayer profile image
DarkWiiPlayer

Does it already mark unverified contributors? I've never seen that happen on github.

Thread Thread
bearove profile image
BearOve • Edited on

Because very few enable vigilant mode I guess. Here is one made by me before I started signing my commits

Thread Thread
darkwiiplayer profile image
DarkWiiPlayer

My point is, when I enable vigilant mode, I don't want to show up in any contributor list unless at least one commit on that repository is signed, or at least only appear greyed out or something.

Thread Thread
bearove profile image
BearOve

Of course, agreed

Thread Thread
grizzlysmit profile image
Francis Grizzly Smit

how do you turn on vigilant mode I cannot find it.

Thread Thread
grizzlysmit profile image
Francis Grizzly Smit

worked it out

Collapse
paramsiddharth profile image
Param Siddharth

Don't worry, impersonation is not possible because of commit signing using GPG keys and signing off. GitHub includes a special mechanism called vigilant mode to enable that, but trust me, you don't even need that. The "Trusted" label on each signed commit is the sole authenticity.

Collapse
martiliones profile image
martiliones Author • Edited on

Linking to your GitHub profile in the commits and contributors is impersonating, isn't it? There is no verified label in the contributor list

Collapse
paramsiddharth profile image
Param Siddharth

Hmmm… Yes, no verified label in the contributors' list. But there will definitely be an unverified label in the commits if the person who is being impersonated has turned on vigilant mode. Also, in any legal processing, such commits would be deemed untrusted, because they won't be signed by the private key of the actual person.

That's why I recommend signing all commits.

Thread Thread
darkwiiplayer profile image
DarkWiiPlayer

What's more, it's why you should require contributors to sign any commit that's of actual legal interest, aka. any non-trivial contribution to an open source repository, so you can prove they willingly submitted their code to the repository knowing the license as well as having someone to blame if it turns out they stole the code :D

Collapse
judicael profile image
JudicaelD

As many junior tech you should quickly learn the difference between :

  • It's technically possible.
  • Oh I shall do that, expose it publicly and make an article about it.

You could get sued for ID fraud, even the most basic.

Collapse
martiliones profile image
martiliones Author

Thanks for sharing your opinion!

Collapse
darkwiiplayer profile image
DarkWiiPlayer

You could get sued, but nobody would ever bother, much less if you impersonate someone in another country.

Collapse
bra1l0r profile image
Pietro T.

this is literally what signed commits are for.

Collapse
darkwiiplayer profile image
DarkWiiPlayer • Edited on

I think GitHub should fix this bug to prevent attacks on profiles

This is neither a bug, nor is it easy to "fix". The solution is to use the right tool for the job and sign your commits.


Oh and by the way: git commit --author 'Your Name <your.name@domain.com>' does the same thing but is much easier to remember. And it's far from the only thing you can mess with, take for example this neat little script I use to make commits "in the future":

#!/bin/sh
DATE="$1"; shift 1
export GIT_AUTHOR_DATE=$(date +%s -d "$DATE")
export GIT_COMMITTER_DATE=$GIT_AUTHOR_DATE
git "$@"
Enter fullscreen mode Exit fullscreen mode

Just put that script in your path as git-timeshift and you can call it as git timeshift "+3 hours" commit to commit something with a timestamp 3 hours in the future. Why you might want to do this, I'll leave to your imagination.

Collapse
martiliones profile image
martiliones Author • Edited on

Thank you for your comment!

You can also make commit in the past. There is Anthony Fu's script to make commit in 1990 github.com/antfu/1990-script

Collapse
raibtoffoletto profile image
Raí B. Toffoletto • Edited on

I always thought it would take contributors from the PRs history ... if it takes from the git logs that's is a problem. As everyone said, proper signing is the way to go, because the simplicity in Gits logs is there in case you are using it as an internal tool, where only people in your workgroup have access to it and assumes you trust everyone.

Did you expose that to the github team???

Collapse
darkwiiplayer profile image
DarkWiiPlayer

I'm pretty sure the github team has known this since the first day and don't need any well-meaning users pointing it out to them :D

Collapse
danbamikiya profile image
Dan Bamikiya

Smart! I saw linus torvalds contribution to a trivial repo the other day and I wondered how and why in the world he would do so. This explains it 😂😂

Collapse
cicirello profile image
Vincent A. Cicirello

You don't actually need their email address. It will work with the GitHub noreply address that every user has, so all you need is their user id which is public.

Collapse
himanshuchandola profile image
Himanshu Chandola

Not working for me.

Collapse
martiliones profile image
martiliones Author • Edited on

What exactly could you not do? Enter git log, you should see something like Author: Name <email@example.com>

Collapse
Sloan, the sloth mascot
Comment deleted
martiliones profile image
martiliones Author

you first need to change something in your project and register changed files to create a commit, using git add ., then you can enter command from article and "push" changes with git push -u origin master command. Hope I helped you :)

Collapse
owenmelbz profile image
Owen Melbourne

This has been solved by using GPG keys for a while now, it is a completely opt-in system which developers can attach their signature to a commit which will show as it being verified, this stops others just using any email address, or it will show as them BUT it will contain an unverified icon - docs.github.com/en/github/authenti...

Collapse
superfola profile image
Alexandre Plateau

You can sort of prevent it by signing your commits with a gpg key :)

Collapse
aatmaj profile image
Aatmaj

Superb!

Collapse
netplayer profile image
NetPlayer

Linus will actually contribute as soon he finds out, if he really is still the reverse engineer that was back when he started it all.
Kudos , to the op. In a world we hardly can invent something on our own,we owe to exploit what's already there at least.