Thursday, November 5, 2020

GitHub Source Code Leak

Resynth (via Hacker News):

The entire source code for the code hosting service used by developers, GitHub.com, has just been leaked to the public.

In a suspicious commit to the official GitHub DMCA repository, an unknown individual uploaded the confidential source code, impersonating Nat Friedman using a bug in GitHub’s application.

Nat Friedman:

GitHub hasn’t been hacked. We accidentally shipped an un-stripped/obfuscated tarball of our GitHub Enterprise Server source code to some customers a couple of months ago. It shares code with github.com. As others have pointed out, much of GitHub is written in Ruby.

Git makes it trivial to impersonate unsigned commits, so we recommend people sign their commits and look for the ‘verified’ label on GitHub to ensure that things are as they appear to be.

As for repo impersonation – stay tuned, we are going to make it much more obvious when you’re viewing an orphaned commit.

Comments RSS · Twitter

Leave a Comment