no, GitHub was not hacked, despite appearances which could suggest the...

Several hours ago, TypeScript developer and privacy activist under the pseudonym Resynth1943 posted a post in which he claimed the GitHub code was leaked:

All source code for the code hosting service used by developers, GitHub.com, has just been released to the public.

In a suspicious commit within the official GitHub DMCA repository, an unknown individual uploaded the confidential source code, posing as Nat Friedman by using a bug in the GitHub app.

At the heart of open-source, GitHub has long been criticized for keeping its source code private. The platform hosts millions of open source projects, and critics say GitHub’s stance is somewhat hypocritical.

However, this raises questions about the safety of GitHub’s source code and whether or not GitHub has something to lose, if they plan to release the source code in a public setting.

Some fear that this will harm the overall security of GitHub, and it may be true. Typically, closed source applications provide “security through obscurity”. This means that the source code is hidden, in order to conceal the security risks.

Since Microsoft’s acquisition of GitHub in 2018, Microsoft has repeatedly emphasized its “love” for open-source. We have seen this through repeated commercial advertisements, which aim to place Microsoft at the forefront of open source development.

Some users, such as Drew DeVault, suggest that Microsoft is trying to centralize open source. Thanks to closed source applications and proprietary extensions of Git, GitHub is seen as a platform that attempts to contain open source. An example of this is when GitHub was taken offline for two hours, leaving thousands of open source projects unreachable and unusable.

GitHub is, in many ways, the Google of open source development.

Maybe GitHub was 12 years late in finally revealing its source code to the public; and that may be exactly what we need.

Resynth1943 appears to be the one who announced the alleged leak of GitHub source code by a stranger on a commit that was tampered with to make it look like it came from GitHub CEO Nat Friedman. Shortly after he broadcast the ad on social media, Nat Friedman reacted to provide clarification.

First of all, Nat Friedman denied being the author of the commit. He also claimed that GitHub was not hacked in any way. Additionally, he said, the leaked source code did not cover all of GitHub’s code, but only the GitHub Enterprise Server product. Although the two share a considerable amount of code, the distinction is significant. This is a version of GitHub Enterprise that businesses can run on their own on-premises servers, in case they need to store source code locally for security reasons, but still want to benefit from GitHub Enterprise features.

Although neither GitHub nor GitHub Enterprise Server is open source code, source code for GitHub Enterprise Server is routinely shipped to customers, of course in a simplified and obfuscated format. According to Nat Friedman, GitHub accidentally provided some customers with a complete, unobscured tarball of GitHub Enterprise Server a few months ago; this is the code that has been saved to the public DMCA repository on GitHub.

Judging by the timing, it’s likely that the unknown individual Resynth1943 alludes to downloaded the source code largely out of anger over the recent Youtube-dl removal. Indeed, the Recording Industry Association of America (RIAA), the inter-professional association for the defense of the interests of the recording industry in the United States, has issued a DMCA request to the GitHub platform for copyright infringement targeting Youtube-dl. . The code base that serves as the foundation for video uploading tools on various platforms has now been offline for several days. Many angry developers and users have expressed their dissatisfaction by uploading the offending code to GitHub again. While Github says it wants to help restore the YouTube media uploader, the platform has issued a warning that accounts could be deleted if they are found guilty of uploading content that has been taken down due to the reviews. removal of the DMCA.

The code posted by the unknown individual was also deposited in GitHub’s DMCA repository, which serves as a history of DMCA takedown requests that GitHub has received, as it receives them, as GitHub explains. : Inspired by Lumen (formerly Chilling Effects) and Google, this repository contains the text of the takedown notices and DMCA counter-notices that we have received here on GitHub. We post them as they are received while removing only personally identifiable information.

GitHub was not hacked. The opportunity to make several changes?

The commit appeared to come from user Nat (aka Nat Friedman, the current CEO of GitHub). Like the content of the commit, this is misleading and can be misleading. Note that Git itself, the source code version control system underlying GitHub, does not significantly protect against user impersonation. The commit in question was not tagged as verified, meaning it was not signed with Friedman’s GPG key.

The source code leak disappeared from GitHub itself very quickly and did not stay on web.archive.org for very long.

How would the usurper have gone about it?

Git commits, like email messages, allow users to put whatever information they want into fields user.name and user.email. This makes the spoofing of this information trivial. Unless the commit is actually signed with a GPG key associated with that email address, there is no real verification that it came from where it should.

It remains to be seen how a commit from a random user would appear in GitHub’s DMCA repository in the first place, but the answer doesn’t imply an account hack either.

Here is a theory circulating on the web:

When you push a commit to a Git repository, you get a hash that represents that commit and can be used to locate it in the tree. GitHub, part of which is the web application that provides in-browser access to this underlying Git framework, keeps all forks of a Git repository in a single underlying repository, although it usually does not appear. this way in the URL structure.

So, to create the illusion that GitHub CEO Nat Friedman had committed to the GitHub DMCA repository, the unknown individual had to first clone the DMCA repository. After forking the repository (creating a copy he had the privilege to commit to), the next step was to validate the leaked source, spoofing Friedman’s name and email address in user.name and user.email.

This would result in a forked deposit, with the false commit. But that still wouldn’t have looked quite correct (the URL, after all, would always point to both the fork and the attacker’s real username and GitHub account). But under the hood, the parent and the fork are both part of the same repository at the underlying Git level. This allowed the attacker to construct a URL that gives the impression that the commit was made to the main repository, not to the fork.

To complete the deception, the attacker started with https://github.com/github/dmca, then added tree / $ hash at the end, where $ hash was the hash of the commit made on his own fork. The result was a URL that appeared to be a commit, made by CEO Nat Friedman, to GitHub’s own DMCA repository.

The positive note is that there has been no hacking here. The source code was freely, albeit accidentally, given to clients and not exfiltrated from a compromised server. Likewise, Friedman has not lost control of his own account, and GitHub has not lost control of its DMCA repository. In Friedman’s own words: everything is going well, the situation is normal.

Source : blog Resynth1943, GitHub DMCA, Nat Friedman

And you ?

What do you think ? Could GitHub take advantage of this experience to improve some of its processes?
What do you think of the theory that the author could be a developer who shows his anger over the recent Youtube-del withdrawal?
Do you share the opinion of those who think that GitHub, as a platform for hosting open source code, should also publish its code in open source? To what extent?