GitHub Source Code Leak

1013 点作者 resynth1943超过 4 年前

42 条评论

Hi folks, I'm the CEO of GitHub.GitHub hasn't been hacked. We accidentally shipped an un-stripped/obfuscated tarball of our GitHub Enterprise Server source code to some customers a couple of months ago. It shares code with github.com. As others have pointed out, much of GitHub is written in Ruby.Git makes it trivial to impersonate unsigned commits, so we recommend people sign their commits and look for the 'verified' label on GitHub to ensure that things are as they appear to be.As for repo impersonation – stay tuned, we are going to make it much more obvious when you're viewing an orphaned commit.In summary: everything is fine, situation normal, the lark is on the wing, the snail is on the thorn, and all's right with the world.

评论 #24995179 未加载

评论 #25001210 未加载

评论 #24995694 未加载

评论 #25001105 未加载

评论 #24995138 未加载

评论 #24996831 未加载

评论 #24995186 未加载

评论 #24997127 未加载

评论 #24995913 未加载

评论 #24997495 未加载

评论 #24996316 未加载

评论 #25001360 未加载

评论 #24996428 未加载

评论 #24995262 未加载

评论 #25006344 未加载

评论 #24998223 未加载

评论 #25001531 未加载

评论 #24999482 未加载

评论 #24995527 未加载

评论 #25001602 未加载

评论 #24995409 未加载

评论 #24995133 未加载

评论 #25001380 未加载

评论 #24996134 未加载

评论 #24995218 未加载

评论 #24995331 未加载

评论 #24995272 未加载

评论 #24995993 未加载

评论 #24999108 未加载

评论 #24995261 未加载

评论 #24996485 未加载

评论 #24995661 未加载

SethTro超过 4 年前

Commit message was "felt cute, might put gh source code on dmca repo now idk" <a href="https://web.archive.org/web/20201104050026if_/https://github.com/github/dmca/tree/565ece486c7c1652754d7b6d2b5ed9cb4097f9d5" rel="nofollow">https://web.archive.org/web/20201104050026if_/https://github...</a>

评论 #25000586 未加载

评论 #24995134 未加载

评论 #24994986 未加载

mappu超过 4 年前

It's unlikely this is a "leak" per se - the source code can be straightforwardly recovered from the trial version of Github Enterprise, see e.g. <a href="https://news.ycombinator.com/item?id=13875993" rel="nofollow">https://news.ycombinator.com/item?id=13875993</a> or (more comments) <a href="https://news.ycombinator.com/item?id=13346866" rel="nofollow">https://news.ycombinator.com/item?id=13346866</a>EDIT: Anyone looking to try doing this, please support open alternatives instead: <a href="https://gitea.io/en-us/" rel="nofollow">https://gitea.io/en-us/</a>

评论 #24994938 未加载

评论 #24995115 未加载

评论 #24995093 未加载

评论 #24994864 未加载

评论 #24999340 未加载

kubanczyk超过 4 年前

OP mirror <a href="https://web.archive.org/web/20201105011435/https://resynth1943.net/articles/github-source-code-leak/" rel="nofollow">https://web.archive.org/web/20201105011435/https://resynth19...</a>Zipped source (140 MB) mirror <a href="https://web.archive.org/web/20201104050247/https://codeload.github.com/github/dmca/zip/565ece486c7c1652754d7b6d2b5ed9cb4097f9d5" rel="nofollow">https://web.archive.org/web/20201104050247/https://codeload....</a>

metiscus超过 4 年前

Stated without proof: I firmly believe this is related to the youtube-dl takedown. Look at the repo it was committed to as well as the timing.Similar things happened with Sony over Other OS. Sadly I bet there will be further attacks and leaks as time goes on here.

评论 #24995006 未加载

评论 #24994830 未加载

评论 #24999042 未加载

评论 #24994831 未加载

评论 #24995083 未加载

kzrdude超过 4 年前

It is a bit sad that the dmca repo gets targeted, because it's an optional extra that github is doing to show publicly when DMCA notices are received.

评论 #24995258 未加载

qgrgergfqgfev超过 4 年前

I saw Github's code as a consultants years ago, and I always thought it was crazy that they would ship the whole thing to us. But then I thought, how many employees do they have? Probably enough that security should not rely on the secrecy of the code anymore.

评论 #24996119 未加载

评论 #24996373 未加载

评论 #24997254 未加载

willio58超过 4 年前

It never sat well with me how GitHub itself was not open-source. Is it a fundamental mistrust of the very technology that made the platform possible?

评论 #24995991 未加载

评论 #24994843 未加载

评论 #24994959 未加载

评论 #24995080 未加载

评论 #24996045 未加载

评论 #24995296 未加载

dboreham超过 4 年前

Whenever I've worked on large proprietary products we would joke we should leak our source to tie up our competitors for years trying understand it...

评论 #24996235 未加载

pietroglyph超过 4 年前

> impersonating Nat Friedman using a bug in GitHub's application.This is not a bug, it's a part of how Git fundamentally works. If you want to mitigate it you have to sign your commits. GitHub could only attribute commits in the UI if they're signed, but I suspect that this is considered too much friction to enable.

评论 #24995461 未加载

robarr超过 4 年前

The reasons the guy who says leaked it:<a href="https://www.reddit.com/r/programming/comments/jnpufo/using_the_same_trick_as_the_one_with_youtubedl_i/" rel="nofollow">https://www.reddit.com/r/programming/comments/jnpufo/using_t...</a>Using the same trick as the one with youtube-dl, I uploaded the entire GitHub backend source code to GitHub's own DMCA repo. Maybe now not only GitHub can have the chance to fix the "bug", but the entire community as well? ;)

评论 #24997122 未加载

npad超过 4 年前

I'm guessing this is just a dump of the GitHub Enterprise source? Apparently it's never been all that hard to decrypt - e.g. <a href="https://gist.github.com/iscgar/e8ea7560c9582e4615fcc439177e22b7" rel="nofollow">https://gist.github.com/iscgar/e8ea7560c9582e4615fcc439177e2...</a>

评论 #24995110 未加载

Wowfunhappy超过 4 年前

Has anyone gotten this running? I'd thought it might be easy since it uses Docker, but docker-compose appears to be trying to pull a dependency called "git-daemon-server" from a URL that requires authentication.

评论 #24995892 未加载

_a1_超过 4 年前

> Some users, such as Drew DeVault, suggest Microsoft is attempting to centralise open-source.Of course Drew DeVault thinks this way. He's trying to monetize his own github-like product, the sourcehut, so less people using GitHub means more people using sourcehut.

评论 #24998168 未加载

评论 #24997977 未加载

评论 #25005412 未加载

评论 #25001721 未加载

jfrunyon超过 4 年前

1) It is extremely unlikely that this was actually pushed to the github/dmca repo. Github has a bug where you can make commits to forked/"networked" repo's appear as if they're in the original repo.2) They most certainly did not "impersonat[e] Nat Friedman using a bug in GitHub's application"; they impersonated him using a design feature in Git.

评论 #24997529 未加载

amb23超过 4 年前

What are the business risks to a company like Github when their source code has been released in the wild? Startups treat their code like IP, but I imagine it'd still be incredibly difficult for a competitor to try and build the same tool/features even if they have the code as a "cheat sheet" of sorts. Are there other risks (i.e. security vulnerabilities) it causes?

评论 #25003207 未加载

userbinator超过 4 年前

Now maybe someone will actually make a "hack" with a UI that looks like this...<a href="https://pbs.twimg.com/media/De17PIKXUAE27W6.jpg:large" rel="nofollow">https://pbs.twimg.com/media/De17PIKXUAE27W6.jpg:large</a>...and show that making it work in any browser, even text-based ones (as far as possible), is not hard.

评论 #24999926 未加载

neiman超过 4 年前

> We accidentally shipped an un-stripped/obfuscated tarball of our GitHub Enterprise Server source code to some customers a couple of months ago.I'd love to hear more about that.

rickspencer3超过 4 年前

A classy move here would be to make a bunch PRs to fix bugs in the codebase, inspiring Nat and Co. to just Open Source it all :) I know nothing about their revenue model of how it relies on proprietary code, of course, but it's fun to imagine.

syspec超过 4 年前

What is the legality of /looking/ at this code in order to study how a large corporation with a large code base writes a Rails app?I'd love to study it but not if just viewing it is a gray area

评论 #24995293 未加载

评论 #24998804 未加载

globular-toast超过 4 年前

There's a really strange phenomenon that I experience on the internet where I think news is much older than it really. This is quite a striking example of that. I read this title today and immediately thought "that's old news". But it turns out that I read this only yesterday and in comment, not even an article. It's strange how my brain seems to store this information quickly, but doesn't have enough time to timestamp it.

thdc超过 4 年前

I wouldn't say it was a bug in GitHub's application that allowed someone to impersonate Nat, it's just that the author of the commit (which can be changed easily/set manually in git) matched his name/email.How many people can actually push to that repo? I wonder if it would be easy to figure out who actually did it...

评论 #24994849 未加载

评论 #24994867 未加载

评论 #24994848 未加载

blitblitblit超过 4 年前

Can we finally see wich WebComponents are being used now? Github forcing WebComponents is a serious design flaw.

samim超过 4 年前

Github, via extension of its owner Microsoft, is owned by some of the most regressive, monopolistic, oligarchic/kleptocratic, big-finance forces on the planet - the likes of Blackrock, Berkshire, Gates, etc. It is very much in their interest to centralize and control open source/free software (free as in freedom), and they have a well established track record of doing just that, by any means necessary. To say it more poignantly: Microsoft is a direct driver of perverse wealth inequality, endless wars and centralisation of power which effectively destroys any resemblance of democracy everywhere. Behind the clean corporate facade, they are just another mafia. If you support this system - by hosting your code on Github and buying MS products - you are de-facto supporting this techno-dictatorship.

评论 #24996372 未加载

评论 #24996674 未加载

greggman3超过 4 年前

Tangentially latedI'm wondering when one of the 1000s of services with write access to 100s of thousands of github run repos gets hacked or tokens expropriated and lots of repos suddenly get malicious commits.I saw the headline and assumed this was a leak of someone else's source via stolen tokens.

devcriollo超过 4 年前

<a href="https://anonfiles.com/Jax980m9p6/dmca-565ece486c7c1652754d7b6d2b5ed9cb4097f9d5_zip" rel="nofollow">https://anonfiles.com/Jax980m9p6/dmca-565ece486c7c1652754d7b...</a>

czbond超过 4 年前

I had always heard GitHub was running on Rails - but I always thought "sure some section of it is". Not ALL on rails - with models and controllers in there.

arthurcolle超过 4 年前

Is there a torrent for this?

评论 #24995004 未加载

评论 #25001048 未加载

phendrenad2超过 4 年前

Is there an open-source alternative to GitHub that has all of the (A) Features and (B) UI Niceness that GitHub had 10 years ago?

评论 #24996398 未加载

pojntfx超过 4 年前

Tbh I think it's quite interesting that the by far biggest open source platform is in itself not open source. Why?

thrownaway954超过 4 年前

it looks like they have already taken the source code down, which sucks cause i would have LOVED to look at it. github has some of the smartest developers in the world working for them and i would love to pour over the code and see the thought process involved in creating the github backend.

评论 #25000063 未加载

aesyondu超过 4 年前

If anyone wants to share their thoughts on the code quality I would be happy to read them.

adenozine超过 4 年前

I don't suspect I'll ever see a more ironic headline in my entire life.

emrehan超过 4 年前

Now that the damage is done, GitHub can go release the source code and own it.

评论 #24995153 未加载

jpdlla超过 4 年前

Probably de-obfuscated source code from a Github Enterprise vm

mohamez超过 4 年前

What's up with all this source codes leaking online?

评论 #24995253 未加载

评论 #24995034 未加载

ibraheemdev超过 4 年前

Would downloading a local copy be considered illegal?

评论 #24995476 未加载

评论 #24995148 未加载

rurban超过 4 年前

Lots of small perl oneliners for a ruby shop :)

knolax超过 4 年前

Wait Github isn't open source? The irony.

The_rationalist超过 4 年前

Where can we find the code?

评论 #24994861 未加载

评论 #24994850 未加载

wdiamond超过 4 年前

I hope that I won't need to search in a thousand of githubs for each npm packet I need in near future.

preommr超过 4 年前

7.5 billion dollars well spent.

评论 #24994952 未加载