Unknown people uploaded the source code of GitHub and GitHub Enterprise to a special section for DMCA complaints on GitHub. Moreover, the sources were published through a commit, designed in such a way as if it comes from the head of GitHub Nat Friedman himself.However, in a post published on YCombinator Hacker News, Friedman stated that he did not put the source, and that GitHub was not compromised in any way.
“Hi folks, I’m the CEO of GitHub. GitHub hasn’t been hacked. … In summary: everything is fine, situation normal, the lark is on the wing, the snail is on the thorn, and all’s right with the world”, — wrote Nat Friedman.
According to him, this leak does not include all the GitHub code, but only the GitHub Enterprise Server. This product is intended for companies, with its help they can run GitHub Enterprise on their local servers, if, for example, for security reasons, they need to store the sources locally.
Friedman writes that this code was “leaked” a few months ago due to a mistake by the GitHub engineers themselves, who mistakenly sent non-obfuscated and unprotected sources to clients.
In his message, the head of GitHub promised that the errors that were used for posting a code will soon be fixed, and unauthorized persons will no longer be able to attach code to other people’s projects and forge other people’s identities.
“We accidentally shipped an un-stripped/obfuscated tarball of our GitHub Enterprise Server source code to some customers a couple of months ago. It shares code with github.com. Git makes it trivial to impersonate unsigned commits, so we recommend people sign their commits and look for the ‘verified’ label on GitHub to ensure that things are as they appear to be. As for repo impersonation – stay tuned, we are going to make it much more obvious when you’re viewing an orphaned commit”, — reported Nat Friedman.
It should be noted that one of these bugs has already been used quite recently. It all started with the deletion of the youtube-dl project and its numerous copies from GitHub, while infuriated users were forced to upload the youtube-dl source code wherever they could, including the same repository with DMCA notifications on GitHub.
The likely unidentified person who posted the source code of the GitHub Enterprise Server also protested against the removal of youtube-dl and the RIAA complaint, as did many other users.
User Review( votes)