How to take credit for someone else's work on GitHub

491 点作者 arraypad大约 3 年前

38 条评论

nynyny7大约 3 年前

I do see a point in it working like it does, though. I'm one of the lead developers on a free software project with over 20 years of history. Even though the project has used multiple version control systems (and hosting providers) over time, we have imported our entire project's history going back to the very first commit into git and GitHub.Not every contributor has kept their email address for over 20 years. Some don't have access to the old addresses they once used for commits. Still they want the commits to be associated with their current GitHub account; even if it's just for statistics and "bragging rights".If GitHub required email address verification, how would this be done?EDIT: To be clear: With "working like it does" I'm referring to the possibility to add unverified email addresses to your account and have commits attributed to you.

评论 #30504616 未加载

评论 #30504127 未加载

评论 #30510836 未加载

评论 #30511418 未加载

评论 #30503735 未加载

评论 #30513015 未加载

评论 #30512216 未加载

评论 #30507108 未加载

评论 #30507708 未加载

评论 #30503802 未加载

评论 #30505109 未加载

kazinator大约 3 年前

In spite of GitHub's claims that nothing wrong, something is wrong and fixable.GitHub should be showing the identity pulled from the e-mail address, and not replacing it with the name of an associated GitHub account. Just like it does when there is no associated GH account.A reasonable compromise would be to show that name, but turn it into a link to the account if there is one. Then only someone curious clicking on "Linus Torvalds" would see: hey, how come this leads to some VanTudor account?

评论 #30508824 未加载

uncomputation大约 3 年前

GitHub’s response is pretty surprising. How can anyone think this is expected? Having to follow Git’s commit message emails makes sense and indeed anybody can use any email they want to make a commit. But then for GitHub to make the connection between (unverified) commit emails and (unverified) GitHub.com accounts is the issue for me. Since they can’t verify the commit email belongs to a GitHub account, why show that as though it were true?

评论 #30509198 未加载

评论 #30503611 未加载

评论 #30505965 未加载

评论 #30503744 未加载

lowercased大约 3 年前

I thought this might be something different. Have seen this happen multiple times over the years - even once just last week.Colleague files an issue with a PR. Project owners close it, say 'no, not a bug', then... commits the same thing themselves as "fixed!". Saw this years before in cvs/svn, and... at least in the GH world there's some evidence of the original PR author having done the work in the first place (vs being invisibly cut out).

评论 #30504227 未加载

trombonechamp大约 3 年前

Or you can just do this: <a href="https://github.com/bhargavchippada/forceatlas2/commit/7438e2e48347a70d6ebd0bafcca22aea86629a79" rel="nofollow">https://github.com/bhargavchippada/forceatlas2/commit/7438e2...</a>

评论 #30507709 未加载

评论 #30507554 未加载

评论 #30506880 未加载

myroon5大约 3 年前

I have used emails in the past I can no longer verify, so I see a use case for linking unverified emails to profiles if there's only one profile claiming the email addressHowever, if another profile verified that email address, it definitely shouldn't link to another profile that hasn't verified

评论 #30505599 未加载

rockbruno大约 3 年前

It seems that one proper solution could be:1 - Don't associate the commit to an account if the email is unverified, obviously2 - If someone tries to "forge" ownership by pushing a commit with an e-mail that doesn't belong to the GitHub account being used to push, a "unverified" warning should be added to the commit and manually claimed by the account owning said e-mail for its status to change.

评论 #30503988 未加载

评论 #30503719 未加载

nfoz大约 3 年前

Veering off topic but I absolutely hate that git requires you to have an "email address" (which cannot be empty and iirc must satisfy some regex criteria for a valid-looking address). A particular choice of user identifier or communication medium should not be hardcoded into the totally unrelated concern of source-control, IMO. Anonymous and non-email accounts should be first-class things. Instead of email maybe you'd want to have your public-key or something.

评论 #30505588 未加载

评论 #30506144 未加载

svnt大约 3 年前

I scrolled through all the comments and didn’t see this answer.What better way to recruit famous people to your platform than to allow people to trivially claim their commits until and unless they join and claim them?It is most likely driven by customer acquisition — hence the response “working as expected!”

评论 #30513131 未加载

spyremeown大约 3 年前

I remember when one of our contractors refused to do a rebase for like, a week, and just ignored any messages we sent him. I changed my e-mail on git to his, rebase, push, PR merged :)Nobody ever found out hahaha

SilasX大约 3 年前

I remember this earlier subthread where someone was criticizing GitHub for allowing this (even using Torvald as someone to impersonate!), and others offered some defenses (which were IMHO dubious):<a href="https://news.ycombinator.com/item?id=21025378" rel="nofollow">https://news.ycombinator.com/item?id=21025378</a>Also, semi-related, obligatory mention of my joke utility for stealing credit for someone else's work:<a href="https://github.com/silasx/git-upstage" rel="nofollow">https://github.com/silasx/git-upstage</a>Finally, I thought this phrasing was funny, like commits have a non-substantively transferable ownership, like an NFT (though FYI it's quoting an older discussion of the same problem):>Someone wrote about the whole situation on Medium in November 2021: "The 1st commit of git/git no longer belongs to Linus Torvalds".

anandoza大约 3 年前

Could someone also write bad code and commit it using someone else's email address in the commit message, thus making the commit link to the other person's Github profile? (Sort of the reverse problem -- "giving blame" instead of "taking credit")

评论 #30504993 未加载

评论 #30505003 未加载

评论 #30505089 未加载

评论 #30506788 未加载

huhtenberg大约 3 年前

Arpad, your site looks like this - <a href="https://i.imgur.com/jj9Uxbl.png" rel="nofollow">https://i.imgur.com/jj9Uxbl.png</a>Not just the linked page, the homepage too. All but illegible. That's in a recent Firefox on Windows. Just FYI.

评论 #30503772 未加载

评论 #30503757 未加载

评论 #30504576 未加载

评论 #30503920 未加载

kevincox大约 3 年前

Their response is to add a PGP key. But AFAICT they don't do verification on PGP keys either. So you could do the same.

评论 #30504154 未加载

denysvitali大约 3 年前

I noticed that arraypad is really trying to push his repography project. Whilst this is not a bad thing, it seems like he is using the blog posts as an excuse to push more his project.I don't mind that much, but I think I've seen these posts hitting the front page quite a lot already - it's a good strategy but it could be maybe against the guidelines:> Please don't use HN primarily for promotion. It's ok to post your own stuff occasionally, but the primary use of the site should be for curiosity.

评论 #30504557 未加载

评论 #30505609 未加载

评论 #30504653 未加载

globular-toast大约 3 年前

This reminds me very much of a "hack" I performed in a workplace that used Outlook/Exchange as its primary email system. I simply sent an email (to a few, trusted people) with the "from" field set to the CEO's name/address.In their inbox it looked completely legit. Outlook even put the CEO's avatar next to it and everything. They were genuinely shocked. Even after I explain that the "from" field is just like me writing "love from Mum" at the bottom of a letter I think they still couldn't believe it.There is a problem with people assuming that all data they find is authoritative. People don't question whether they can trust data often enough. Another problem is when you make things look nice enough, they look trustworthy. This is a well known confidence trick, of course.My PhD supervisor objected to me typesetting my work in LaTeX before it had been checked because he said once it's typeset it looks correct, but might still be complete rubbish.Unfortunately this all boils down to web-of-trust, as usual. We've had the solution for decades now, but we've collectively agreed that it's more trouble than it's worth. So these kinds of problems will keep popping up again and again.

TrianguloY大约 3 年前

Why not add a small orange (!) icon next to the name for unverified emails, or a similar indicator? As a way of saying "this user claimed authorship, but we couldn't verify it".When you commit from the Github page itself, a similar green "verified" check is shown, but if you do it from command line and then push nothing is shown. So the infrastructure for special verifications messages is there, and perhaps could be used.

评论 #30505001 未加载

moritzwarhier大约 3 年前

I'm not entirely sold on the explanation "This is just how git commit (messages) work". GitHub could easily limit linking the GitHub profile to profiles whose e-mail address has been verified (by usual means, no GPG required).They could show statistics and attribution limited to the data available in the commit messages (e.g. accumulated statistics by e-mail address) for contributors without a GitHub profile.Am I missing something here? (Edit: just read the other comments addressing the use cases)

pornel大约 3 年前

I knew about the ability to push commits as someone else, but GitHub allowing taking ownership of other people's commits in their own repos, using an unverified e-mail address seems like a whole another level of insecurity here.Even though git -> email link is weak for reasons beyond GitHub's control, I expected email -> github account link to be reliable, since that is entirely under GitHub's control.I think GitHub is needlessly making a bad situation even worse here.

leonardinius大约 3 年前

Dated back to at least 2015 <a href="https://news.ycombinator.com/item?id=10005577" rel="nofollow">https://news.ycombinator.com/item?id=10005577</a>It’s old news.

striking大约 3 年前

This is just a fact of how attribution works in Git. It's not GitHub's responsibility to figure out exactly who should be given credit for which commit, they're just a viewer on top of Git commits.Imagine you did some work at some workplace years ago, and you want credit for it. You don't have access to that email anymore, but you'd still like to have the credit and have it link to your account. That's the usecase.

评论 #30503770 未加载

gorkish大约 3 年前

I'm extremely surprised as well. This seems like a obvious vector for an impersonation attack. A malicious user could do this, then perhaps they would have more success submitting a malicious change to "correct a flaw in their previous commit"At the very least, repo owners should have some better control over how attributions display when the user is not a project member or the email used is not verified to an existing user.

nyellin大约 3 年前

Repography looks very cool, but why does it need permission to "act on my behalf"?Is it possible to use without connecting my user at all?

zestyping大约 3 年前

An obvious and feasible improvement is to least make it clear in the UI which addresses are verified or unverified.

FlacoJones大约 3 年前

One thing to note: I believe this only works if the email is not already associated with a GH account.

gurjeet大约 3 年前

I think if the project included a mailmap file [1], supported by Git, and if Github honored it, this may not be a problem.[1]: <a href="http://git-scm.com/docs/gitmailmap" rel="nofollow">http://git-scm.com/docs/gitmailmap</a>

aledalgrande大约 3 年前

This is trackable, but I had my PR closed and my contributions redressed as another PR a week later by the members of a few different prominent opensource projects, without any communication on their part. And I only realized by chance.

j3s大约 3 年前

how many email addresses can a person associate with their account? is there the potential for me to develop a bot that scrapes every "unclaimed" email address and claim them? seems like a very poor design choice.

评论 #30507072 未加载

ILMostro7大约 3 年前

Is it at all relevant that github is not a source of authority for anything, unless the project itself chooses it (and maintainers/owners designate it) as the platform of choice for source control?

anfractuosity大约 3 年前

What happens if multiple github users add the same unverified email address for a particular commit in a repo to their accounts, how does it know which github username to pick to display next to the commit?

评论 #30507141 未加载

a-dub大约 3 年前

so this is obviously an ad for this repography thing, which looks pretty cool.so.. does it do anything interesting with stuff like git blame -CCC which shows the genealogy of copypasta across time within a repo?

whiddershins大约 3 年前

Whether working as expected or not, just fix the Linus thing, that is an embarrassment and a surreal one at that.

whateveracct大约 3 年前

Sign your commits if you care about this!iirc, isn't signing with the same ssh key you push with a possibility?

评论 #30526820 未加载

clutch89大约 3 年前

Why does the email address hijacking only work/show up for the first commit?

评论 #30503587 未加载

quickthrower2大约 3 年前

Because Git/Github is source control tool not a forensic tool.

评论 #30526781 未加载

anglinb大约 3 年前

I worked on the security team at GitHub, this was a long standing part of how git works. GitHub allows users to verify commits via GPG signatures to prove that they committed something but it doesn't work for proving a negative, that you did not commit something.We got so many of these submissions which are clearly called out in the rules/scope, usually the people who don't read the rules don't find anything useful. ¯\_(ツ)_/¯

评论 #30504915 未加载

guptarohit大约 3 年前

for these reasons I have started using PGP signing for commits and releases I make

dogweather大约 3 年前

Just ask Sushi Swap.