Python The actual combat community
Java The actual combat community
Long press to identify the QR code below , Add as needed
Scan code, pay attention to add customer service
Into the Python community ▲
Scan code, pay attention to add customer service
Into the Java community ▲
Xiao Xiao From the Aofei temple
qubits reports | official account QbitAI
GitHub All of a sudden “ Open source ” Part of my code , And put it in GitHub On .
The cause of the incident is like this ：
TypeScript The developer of the Resynth All of a sudden Po An article , Represents a code managed service GitHub All of the source code has been leaked .
He said , To the official GitHub DMCA In the suspicious documents submitted , An unidentified person uses GitHub A vulnerability in the application , Pretend to be GitHub Of CEO Nate · friedman （Nat Friedman） Upload secret source code .
As soon as something goes wrong , stay HN It has aroused a heated discussion among netizens , It's also sparked a new round of GitHub Thinking about security .
Net friend lrvick Express , Many security personnel, including him , Long ago GitHub Many of the related vulnerabilities have been publicly demonstrated on . But unless “ Come up with a virus ”, Microsoft doesn't acknowledge the existence of these vulnerabilities at all .
and , He said it a long time ago ,GitHub There is a serious design flaw in the part that submitted the signature , But now it's happening , They're the ones that get attention .
therefore , How did this strange user do it ？
How to fake CEO I leaked the code ？
GitHub Source code manager for Git, It doesn't effectively prevent users from counterfeiting .
Git Is more like email , That means , Users can choose the user name and fill in the email address at will , So it doesn't matter if you do something small .
—— Unless the information submitted has GitHub CEO Friedman's GPG Signature , otherwise Git When submitting information , There's no way to confirm if this is CEO My submission .（ The problematic code submission this time , There is no CEO My signature information ）
GPG（GNU Privacy Guard） It's a key software , Is used to encrypt 、 The content of the signed communication , It can also be used as a key to manage asymmetric cryptography .
Unless GPG The signature is associated with the email address , It does not confirm the authenticity of the submitted object .
in other words , When you make a submit request to Git Local warehouse , You will get a hash value representing the submitted request , It allows you to jump directly to your branch .
GitHub Similar to a Web Applications , Responsible for providing browser to Git Request interaction of the underlying architecture , It will store all branches in an underlying Repository , Even if it doesn't appear in the usual form in URL Architecture .
therefore , A file submitted by an unknown user “ In all fairness ” Into the GitHub Of DMCA The repository , It's also a fake CEO The way Friedman looks .
To do this , This strange user first copied a copy of DMCA The repository 、 Make a branch , Easy to submit It's going to leak out GitHub Source code ;
then , Unknown users forged Friedman's user name and email address , Submitted it to . therefore , stay DMCA In the repository , A user named Friedman , I submitted a copy of GitHub Source code .
CEO After response , Netizens have exploded
Regarding this ,GitHub CEO Friedman responded , Express GitHub Some time ago, accidentally confused a part of the source code to the customer , But it doesn't affect GitHub The safety of the .
He even recited a browning poem ： Everything is fine , It's normal, too , Skylarks spread their wings and fly , The snail crawls on the thorns , Everything goes well in the world ！
But apparently , Netizens don't care if the source code is CEO I leaked , contrary , This incident once again aroused them against “GitHub Open source ” The anger of the matter itself .
Net friend exabrial： you （ finger CEO） Think it's normal ？ Are you trying to fake / invalid DMCA, Delete what else ？
CEO friedman ： Here we suggest you read DMCA How it works .
Net friend dannyw： If GitHub We really advocate open source , It won't be the way it is now . as far as I am concerned , Microsoft is RIAA Members of .
Net friend dannyw The reason why RIAA（ The recording industry association of America ）, Because GitHub Some time ago, we should RIAA The requirements of , Delete... Directly GitHub On the open source pipeline Video Downloader Youtube-dl.
A stone makes a thousand waves , Original GitHub The first item deleted was 18 individual , Now a search , There came out 4000 Multiple .
Some developers say , This time “ Forgery ” Estimate and Youtube-dl The item was deleted about , It may also be that forgers are not open to Microsoft GitHub Source code complaint .
About GitHub Open source , And it has to be acquired from Microsoft GitHub After a series of actions .
Microsoft and its “ Open source ”
since 2018 Microsoft acquired GitHub after , Always claiming to be “ Committed to open source ”.
Resynth Express ：“ We've seen a lot of commercials （ Microsoft's love of open source ）, Microsoft's advertising , It really puts it at the forefront of open source development .”
But with what Microsoft advocates “ Open source ” The idea is relative to , It directly banned open source code from the community several times .
Recently , That's the trigger for the forgery “Youtube-dl Banned events ”.
Some developers said , Want to make GitHub Open your own source code , Now in Microsoft's view , It's absolutely impossible .
Resynth Also said , Due to the existence of closed source software 、 as well as Git Expansion , Give Way GitHub It looks more like an attempt to “ Including open source projects ” The platform of , Not open source itself .
for example , This year, 6 month ,GitHub There have been two hours of downtime , During this time , Thousands of open source projects cannot be accessed and used .
For this time GitHub The source code leak event , What do you think ？
It's gone GitHub Source address ：
Reference link ：
Programmer column Scan code and pay attention to customer service Press and hold to recognize the QR code below to enter the group
Recent highlights are recommended ：
Here's a look Good articles to share with more people ↓↓