Before starting, you can see for yourself by clicking on the link → https://github.com/martiliones/icon-set-creator
* don't forget to star project...
For further actions, you may consider blocking this person and/or reporting abuse
It’s kind of a feature, but still a good find! 😄
Also a good example of why you should sign your commits.
Don't worry, impersonation is not possible because of commit signing using GPG keys and signing off. GitHub includes a special mechanism called vigilant mode to enable that, but trust me, you don't even need that. The "Trusted" label on each signed commit is the sole authenticity.
Linking to your GitHub profile in the commits and contributors is impersonating, isn't it? There is no verified label in the contributor list
Hmmm… Yes, no verified label in the contributors' list. But there will definitely be an unverified label in the commits if the person who is being impersonated has turned on vigilant mode. Also, in any legal processing, such commits would be deemed untrusted, because they won't be signed by the private key of the actual person.
That's why I recommend signing all commits.
What's more, it's why you should require contributors to sign any commit that's of actual legal interest, aka. any non-trivial contribution to an open source repository, so you can prove they willingly submitted their code to the repository knowing the license as well as having someone to blame if it turns out they stole the code :D
This is how git works and how it has to work. Your authentication is only about write access or not. When you collaborate and merge between branches and many contributors you include other peoples commits all the time. This is by design and is well known. Changing this would require github to not be a compliant git server anymore.
With that said, I guess they could make it harder to add people to the contributor list. Maybe a user could have an option like "I always sign my commits" and then only signed commits would apply for that user?
Also, this reminded me a long-standing todo of adding gpg code signing to all my dev environments and I did it now together with vigilant mode as mentioned elsewhere.
I also just turned on vigilant mode. I'd still like to see a more aggressive "if it ain't signed, it ain't mine" checkbox though. I'll sign everything that isn't a non-trivial change and, if I don't, I often even re-commit on my desktop later on so the commit gets its signature.
I suspect it is complicated to do for edge cases though. Let's say you contributed unsigned and with your email 10 years ago in som git repo currently not on github, and then it is imported now. Then the import would fail and the owner of the repo would not be able to fix it without breaking everyone elses commits
The import doesn't need to fail, it just needs to communicate clearly that the contributor isn't confirmed; maybe by leaving the username greyed out with an "unconfirmed" warning right next to it.
But then it is basically the same as today, except for the greying out?
Does it already mark unverified contributors? I've never seen that happen on github.
Because very few enable vigilant mode I guess. Here is one made by me before I started signing my commits
My point is, when I enable vigilant mode, I don't want to show up in any contributor list unless at least one commit on that repository is signed, or at least only appear greyed out or something.
Of course, agreed
how do you turn on
vigilant modeI cannot find it.worked it out
As many junior tech you should quickly learn the difference between :
You could get sued for ID fraud, even the most basic.
You could get sued, but nobody would ever bother, much less if you impersonate someone in another country.
Thanks for sharing your opinion!
this is literally what signed commits are for.
This is neither a bug, nor is it easy to "fix". The solution is to use the right tool for the job and sign your commits.
Oh and by the way:
git commit --author 'Your Name <your.name@domain.com>'does the same thing but is much easier to remember. And it's far from the only thing you can mess with, take for example this neat little script I use to make commits "in the future":Just put that script in your path as
git-timeshiftand you can call it asgit timeshift "+3 hours" committo commit something with a timestamp 3 hours in the future. Why you might want to do this, I'll leave to your imagination.Thank you for your comment!
You can also make commit in the past. There is Anthony Fu's script to make commit in 1990 github.com/antfu/1990-script
I always thought it would take contributors from the PRs history ... if it takes from the git logs that's is a problem. As everyone said, proper signing is the way to go, because the simplicity in Gits logs is there in case you are using it as an internal tool, where only people in your workgroup have access to it and assumes you trust everyone.
Did you expose that to the github team???
I'm pretty sure the github team has known this since the first day and don't need any well-meaning users pointing it out to them :D
Smart! I saw linus torvalds contribution to a trivial repo the other day and I wondered how and why in the world he would do so. This explains it 😂😂
You don't actually need their email address. It will work with the GitHub noreply address that every user has, so all you need is their user id which is public.
Not working for me.
What exactly could you not do? Enter
git log, you should see something likeAuthor: Name <email@example.com>you first need to change something in your project and register changed files to create a commit, using
git add ., then you can enter command from article and "push" changes withgit push -u origin mastercommand. Hope I helped you :)This has been solved by using GPG keys for a while now, it is a completely opt-in system which developers can attach their signature to a commit which will show as it being verified, this stops others just using any email address, or it will show as them BUT it will contain an unverified icon - docs.github.com/en/github/authenti...
You can sort of prevent it by signing your commits with a gpg key :)
Superb!
Linus will actually contribute as soon he finds out, if he really is still the reverse engineer that was back when he started it all.
Kudos , to the op. In a world we hardly can invent something on our own,we owe to exploit what's already there at least.