Github lets me commit as another user

gitgithub

I'm learning how to use Git, and I've noticed that there's no control over the user.name and user.email when commiting. For example, I'm inside my repository. I can change my local config,

$ git config user.name "<someone's Github username>"
$ git config user.email "<someone's Github email>"

Then, I commit something and push it. I will be asked for my Github username and password.

Now it appears as if that another Github user authored that commit in my repository. !?

Am I missing something?

Best Answer

Wow this is an excellent question I don't understand why this hasn't gotten more attention (Maybe because it's not exactly security related than SU).

There is a hacker news discussion about it - https://news.ycombinator.com/item?id=7792026

This is not a major issue but you could do some serious abuse with it -

You can publish commits from famous people making it look like they endorse your project and actively contribute to it.
You can fake the amount of contributors your project actually has by using multiple identities of other real GitHub users. (this will look way more legit than just using random e-mails)
You might be able to convince someone to merge a pull request into his project by making him think most commits are coming from another trusted user

Recently GitHub been criticized for also allowing project owners to edit comments of users replying in their project making it look like they wrote stuff they didn't write which can lead to serious abuse. This is a very similar thing.

As other answers has mentioned this is how Git was designed. in an internal repo you don't care much about this stuff and you mostly care about managing code and not reputation. GitHub on the other way is a social tool and should care about its user public reputation (as mentioned in the hacker news discussion this solvable by PK encryption. many users already have PK assigned to their GitHub account for push permissions I would imagine same key can be used to sign commits )

Related Solutions

How to ensure Git doesn’t ask me for the GitHub username and password

You need to set-up an ssh-agent against which you only need to authenticate once. See this answer over at SO for a howto.

Cloned GitHub repos ask for a password, while originally created don’t

My guess:

Your old repositories used SSH remotes (git@github.com: or ssh://git@github.com/ prefixes), which used public-key authentication. (In fact, the Github SSH server never asks for a password.)

Your new repositories use HTTP remotes (https://username@github.com/), which only support password-based HTTP Basic authentication and do not use your SSH keys.

Change your remote URLs to use SSH again. Use git remote set-url or edit .git/config to do this. Replace

https://username@github.com/username/repo.git

with just

git@github.com:username/repo.git

You can even have an entry in your ~/.gitconfig that tells git to translate remote URLs from HTTP or Git to SSH.

This way, if your repository is configured for a HTTP or Git remote, git will ignore that setting when pushing and will use SSH instead.

[url "git@github.com:"]
    pushInsteadOf = git://github.com/
    pushInsteadOf = https://github.com/

(An insteadOf = setting is also possible, to override both pulling and pushing.)

Best Answer

Related Solutions

How to ensure Git doesn’t ask me for the GitHub username and password

Cloned GitHub repos ask for a password, while originally created don’t

Related Question