I feel this description is Linus backtracking, where the original target of the "git" label was in fact Andrew Tridgell, who was at the center of the Linux/bitkeeper reverse engineering drama [0].
Trivia: Andrew Tridgell's techniques here catalyzed the creation of git. He applied them to reverse-engineer parts of the Bitkeeper protocol, a proprietary version control system then hosting the linux kernel. Bitkeeper CEO Larry McVoy revoked linux's license to use BK, Linus went off and wrote a replacement, and the rest is history.
Ted Ts'o (extremely well-known developer) being warned by Linus Torvalds (extremely well-known developer) about a Git pull request that has a misleading commit message.
Huh, does he think he's funny? Spamming the Linux kernel git seems like a good way to be considered a major wanker. And doing it from a non-throwaway Github account?
> "Others who look at those commits would still see the correct person's name,"
They would see the name which was written into the commit; assuming that's "the correct person" is the same mistake. Associating to the GitHub verified email account is incorrect in the same fashion, but going the other way. They're both only text saying "Linus Torvalds", in the absence of signing, neither is more or less authoritative than the other. Connecting it to a random profile looks wrong, but trying to correct it to the 'right' profile lends it an air of legitimacy it shouldn't have.
Papering over that is like teaching people to click through warning messages, or that HTTP is fine because the site shows the right looking text.
I looked into it (https://old.reddit.com/r/linux/comments/mvd6zv/greg_khs_resp...). People from the University of Minnesota has 280 commits to the Linux kernel. Of those, 232 are from the three people directly implicated in this attack (that is, Aditya Pakki and the two authors of the paper), and the remaining 28 commits is from one individual who might not be directly involved.
> The obvious denispetrov.com ... programmer ... a New Yorker ... end of a 25-year career and the blog dries up entirely in 2011, so it doesn’t match the place or time
There's a lot of metadata about when/how they used git and IRC, and some preliminary analysis on same. Another surname in one of the commits. An apparent LinkedIn account. (See heading "OSINT" in https://boehs.org/node/everything-i-know-about-the-xz-backdo... .)
A lot of these tracks could be intentionally manipulated by a sophisticated actor to disguise their identity, but it's not "nothing".
I think the blog author is implying as much as he can, without directly accusing, that he believes that https://github.com/shinnn was responsible for the bad code, not a random hack.
At first I thought the guy who did this was a lone wolf but now I believe it was indeed state actor. They coordinated and harassed original maintainer into giving them access to the project, basically they hijacked the open source project. The poor guy(the original maintainer) was alone against state actors who were persistent with the goal of hijacking and then backdooring the open source project.
It seems like they were actively looking[0] which open source compression library they can inject with vulnerable code and then exploit and backdoor afterwards.
> The problem is that GitHub makes this association even for unverified email addresses. In this case of course it really was Linus who made the first commit, but all it took was someone to add Linus's email address to their GitHub profile - without any verification - and now GitHub displays this person as the author instead.
Well, the fact that he and the other Linux maintainers had previously used (and were intimately familiar with) BitKeeper, and thus had a good idea of what their new FLOSS DVCS should look like, probably also helped.
Not saying that he copied BitKeeper 1:1, but if you look at BitKeeper usage examples (http://www.bitkeeper.org/), they do look familiar, don't they? BTW, BitKeeper is now open source - and development seems to have largely ceased...
The response seems a lazy, thoughtless, self-serving cop-out, one that permits a false identity claim and then pushes the entire burden of challenging it back to the primary victim, who may well be unwitting, and where secondary victims (anyone defrauded by believing a false attribution) have no standing at all.
You can file the whole line of thinking - from design to support - under "worst practices" and "things not to emulate in your own product".
When it comes to handling how unverified author identity is presented and cross-reference, Github could stand to do a lot better.
Fortunately, the problem appears confined to Github's web interface; a git show --quiet e83c516 still produces
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Thu Apr 7 15:13:13 2005 -0700
Initial revision of "git", the information manager from hell
Here’s lattner telling some guy off. There’s none that I can think of that are super memeworthy or anything. It’s usually just insecure devs with a little Dunning Kruger cocktail in the mix.
Certainly not anybody bothering dozens of people manually, for months, like in the link. That’s pretty wild.
Actually, I could much rather believe that 'git' referred to Larry McVoy, Mr. Bitkeeper himself. I've never met the man, but the fact that the license was onerous and he basically took his ball and went home speaks volumes. Also, and again hearsay, but I've heard stories about him.
That being said, I'll take BitKeeper over Perforce any day of the week.
[0] http://www.theregister.co.uk/2005/04/14/torvalds_attacks_tri...
reply