Hi folks, I'm the CEO of GitHub.<p>GitHub hasn't been hacked. We accidentally shipped an un-stripped/obfuscated tarball of our GitHub Enterprise Server source code to some customers a couple of months ago. It shares code with github.com. As others have pointed out, much of GitHub is written in Ruby.<p>Git makes it trivial to impersonate unsigned commits, so we recommend people sign their commits and look for the 'verified' label on GitHub to ensure that things are as they appear to be.<p>As for repo impersonation – stay tuned, we are going to make it much more obvious when you're viewing an orphaned commit.<p>In summary: everything is fine, situation normal, the lark is on the wing, the snail is on the thorn, and all's right with the world.
Commit message was "felt cute, might put gh source code on dmca repo now idk" <a href="https://web.archive.org/web/20201104050026if_/https://github.com/github/dmca/tree/565ece486c7c1652754d7b6d2b5ed9cb4097f9d5" rel="nofollow">https://web.archive.org/web/20201104050026if_/https://github...</a>
It's unlikely this is a "leak" per se - the source code can be straightforwardly recovered from the trial version of Github Enterprise, see e.g. <a href="https://news.ycombinator.com/item?id=13875993" rel="nofollow">https://news.ycombinator.com/item?id=13875993</a> or (more comments) <a href="https://news.ycombinator.com/item?id=13346866" rel="nofollow">https://news.ycombinator.com/item?id=13346866</a><p>EDIT: Anyone looking to try doing this, please support open alternatives instead: <a href="https://gitea.io/en-us/" rel="nofollow">https://gitea.io/en-us/</a>
Stated without proof: I firmly believe this is related to the youtube-dl takedown. Look at the repo it was committed to as well as the timing.<p>Similar things happened with Sony over Other OS. Sadly I bet there will be further attacks and leaks as time goes on here.
It is a bit sad that the dmca repo gets targeted, because it's an optional extra that github is doing to show publicly when DMCA notices are received.
I saw Github's code as a consultants years ago, and I always thought it was crazy that they would ship the whole thing to us. But then I thought, how many employees do they have? Probably enough that security should not rely on the secrecy of the code anymore.
Whenever I've worked on large proprietary products we would joke we should leak our source to tie up our competitors for years trying understand it...
> impersonating Nat Friedman using a bug in GitHub's application.<p>This is not a bug, it's a part of how Git fundamentally works. If you want to mitigate it you have to sign your commits. GitHub <i>could</i> only attribute commits in the UI if they're signed, but I suspect that this is considered too much friction to enable.
The reasons the guy who says leaked it:<p><a href="https://www.reddit.com/r/programming/comments/jnpufo/using_the_same_trick_as_the_one_with_youtubedl_i/" rel="nofollow">https://www.reddit.com/r/programming/comments/jnpufo/using_t...</a><p>Using the same trick as the one with youtube-dl, I uploaded the entire GitHub backend source code to GitHub's own DMCA repo. Maybe now not only GitHub can have the chance to fix the "bug", but the entire community as well? ;)
I'm guessing this is just a dump of the GitHub Enterprise source? Apparently it's never been all that hard to decrypt - e.g. <a href="https://gist.github.com/iscgar/e8ea7560c9582e4615fcc439177e22b7" rel="nofollow">https://gist.github.com/iscgar/e8ea7560c9582e4615fcc439177e2...</a>
Has anyone gotten this running? I'd thought it might be easy since it uses Docker, but docker-compose appears to be trying to pull a dependency called "git-daemon-server" from a URL that requires authentication.
> Some users, such as Drew DeVault, suggest Microsoft is attempting to centralise open-source.<p>Of course Drew DeVault thinks this way. He's trying to monetize his own github-like product, the sourcehut, so less people using GitHub means more people using sourcehut.
1) It is extremely unlikely that this was actually pushed to the github/dmca repo. Github has a bug where you can make commits to forked/"networked" repo's appear as if they're in the original repo.<p>2) They most certainly did not "impersonat[e] Nat Friedman using a bug in GitHub's application"; they impersonated him using a design feature in Git.
What are the business risks to a company like Github when their source code has been released in the wild? Startups treat their code like IP, but I imagine it'd still be incredibly difficult for a competitor to try and build the same tool/features even if they have the code as a "cheat sheet" of sorts. Are there other risks (i.e. security vulnerabilities) it causes?
Now maybe someone will actually make a "hack" with a UI that looks like this...<p><a href="https://pbs.twimg.com/media/De17PIKXUAE27W6.jpg:large" rel="nofollow">https://pbs.twimg.com/media/De17PIKXUAE27W6.jpg:large</a><p>...and show that making it work in any browser, even text-based ones (as far as possible), is not hard.
> We accidentally shipped an un-stripped/obfuscated tarball of our GitHub Enterprise Server source code to some customers a couple of months ago.<p>I'd love to hear more about that.
A classy move here would be to make a bunch PRs to fix bugs in the codebase, inspiring Nat and Co. to just Open Source it all :) I know nothing about their revenue model of how it relies on proprietary code, of course, but it's fun to imagine.
What is the legality of /looking/ at this code in order to study how a large corporation with a large code base writes a Rails app?<p>I'd love to study it but not if just viewing it is a gray area
There's a really strange phenomenon that I experience on the internet where I think news is much older than it really. This is quite a striking example of that. I read this title today and immediately thought "that's old news". But it turns out that I read this only yesterday and in comment, not even an article. It's strange how my brain seems to store this information quickly, but doesn't have enough time to timestamp it.
I wouldn't say it was a bug in GitHub's application that allowed someone to impersonate Nat, it's just that the author of the commit (which can be changed easily/set manually in git) matched his name/email.<p>How many people can actually push to that repo? I wonder if it would be easy to figure out who actually did it...
Github, via extension of its owner Microsoft, is owned by some of the most regressive, monopolistic, oligarchic/kleptocratic, big-finance forces on the planet - the likes of Blackrock, Berkshire, Gates, etc. It is very much in their interest to centralize and control open source/free software (free as in freedom), and they have a well established track record of doing just that, by any means necessary. To say it more poignantly: Microsoft is a direct driver of perverse wealth inequality, endless wars and centralisation of power which effectively destroys any resemblance of democracy everywhere. Behind the clean corporate facade, they are just another mafia. If you support this system - by hosting your code on Github and buying MS products - you are de-facto supporting this techno-dictatorship.
Tangentially lated<p>I'm wondering when one of the 1000s of services with write access to 100s of thousands of github run repos gets hacked or tokens expropriated and lots of repos suddenly get malicious commits.<p>I saw the headline and assumed this was a leak of someone else's source via stolen tokens.
I had always heard GitHub was running on Rails - but I always thought "sure some section of it is". Not ALL on rails - with models and controllers in there.
it looks like they have already taken the source code down, which sucks cause i would have LOVED to look at it. github has some of the smartest developers in the world working for them and i would love to pour over the code and see the thought process involved in creating the github backend.