This was just me verifying what I saw, that if you push commits to GitHub, it correlates the email address of authors introducing commits elsewhere. You can make it look like anyone you want is contributing patches, the avatar shows up, etc. This example commit does NOT show up in dhh's timeline, though.<p>I am not going to start requiring PGP signing for my projects, they are not big enough to miss something fishy. This was just something I hadn't considered, it is probably an obvious issue to many already.
Might be an issue in that it could be used to damage someone's reputation by spoofing their avatar/etc and then trying to push malicious commits. That's what occurs to me at first glance, anyways.
I'm not really sure why this is an issue at all. Yes, "rogue" repositories could claim that you'd authored various commits. But, why would people be looking at these repos in the first place?<p>There's a very strong builtin trust mechanism on GitHub — mainly due to the fact that repositories hang off of "users" instead of them hanging off of "projects".<p>And, myself, when browsing around aimlessly on GitHub, tend to check out either reputable projects (where such behaviour is not likely to go unnoticed) or the repos of a hacker i'm interested in — who surely doesn't have much reason to fake their own commits? ;p<p>Heh, maybe this could be the basis for a GitHub Reality TV show. "Tonight: DHH fakes his own death!" ;p
Just like regular mail, e-mail, the bylines on articles, people on the phone, ...<p>If you don't want people to worry about the integrity of your code, then "git tag -s" to sign a tag. Signing a tag makes it possible to verify the authenticity of the entire branch to that point.
Github has a bunch of security holes.....you'd be surprised what's out there right now....<p>here's a screenshot from some of my github expliots...<p><a href="http://i.imgur.com/irL01.png" rel="nofollow">http://i.imgur.com/irL01.png</a>