2 min

Tags in this article

, , ,

CEO Nat Friedman calls the repo post a fake and promises to make impersonation more difficult.

Recently a site called Resynth (resynth1943.net) posted a link to a Wayback Machine snapshot of a GitHub repo that appeared to come from GitHub CEO Nat Friedman. The poster had labelled the repo as: “This is GitHub.com and GitHub Enterprise.”

Developer and privacy activist Resynth1943 announced on Wednesday that GitHub’s source code had been leaked on GitHub itself. Resynth even claimed that the hack had appeared in GitHub’s own DMCA repository.

Resynth1943 described the code as having “just been leaked” by an unknown individual. He then re-posted an announcement on Hacker News.

GitHub CEO Nat Friedman then went on Hacker’s Network himself to set minds to rest. The CEO explained that the upload spotted by Resynth was actually of GitHub Enterprise Server, not the GitHub website itself. While the two share a considerable volume of code, the distinction is significant.

This means that technically, GitHub itself was not actually hacked.

An explanation from GitHub CEO calms the waters

Friedman explained as follows: “GitHub hasn’t been hacked. We accidentally shipped an un-stripped/obfuscated tarball of our GitHub Enterprise Server source code to some customers a couple of months ago. It shares code with github.com. As others have pointed out, much of GitHub is written in Ruby.”

He went on to say that “Git makes it trivial to impersonate unsigned commits, so we recommend people sign their commits and look for the ‘verified’ label on GitHub to ensure that things are as they appear to be.”

Then came a promise to impose mopre secutity: “As for repo impersonation – stay tuned,” he said, “we are going to make it much more obvious when you’re viewing an orphaned commit.

“In summary: everything is fine, situation normal, the lark is on the wing, the snail is on the thorn, and all’s right with the world.”

Related: GitLab is a DevSecOps platform with open-source at its core