yan

pop quiz! which github account authored this commit?

---

answer: me (diracdeltas). bsclifton had nothing to do with this commit. i entered his email using the --author git flag and github automatically linked it to his account. the "verified" label (which at a glance makes it look like the entire commit is verified) only verifies my account.

reminder that unless someone is signing git commits, there's no real guarantee that they actually authored a commit!

Dec 21, 2022 at 6:30pmWeb
Show threadaismallard (relocated!)Dec 21, 2022
@bcrypt It should really only say "Verified" if all the participants are GitHub-verified
Show threadPatrycja πŸ”œ V43Dec 21, 2022
@bcrypt github added "Partially verified" for that exact reason, but apparently the condition to show that warning doesn't catch all cases(?)
Show threadKevin JonesDec 21, 2022
@ptrc @bcrypt if "bsclifton" enabled "vigilant mode" then it would show as partially verified.
Show threadPatrycja πŸ”œ V43Dec 21, 2022
@vcsjones ah, makes sense
Show threadJoakim Uddholm πŸ‡ΈπŸ‡ͺπŸ‡©πŸ‡ͺDec 21, 2022

@bcrypt not sure if github uses it as well, but on bitbucket you can also spoof commits from other users using a .mailmap file.

https://gist.github.com/Tethik/7df331368b658937829bb91c20665cd4

Bitbucket Verify Committer Hook Bypass PoC

Bitbucket Verify Committer Hook Bypass PoC. GitHub Gist: instantly share code, notes, and snippets.

Gist
Show threadJon Dowdle Dec 29, 2022
@bcrypt is there a UX signal in GH that says a commit was signed?