This could have been partially avoided with signed commits.
gzalo 14 days ago |
Not really. The username from the commits is the same one that created the PR.
The username evildojo666 was available and the attacker just used it.
bdstanga 14 days ago |
This was actually a true impersonation case, because researcher's twitter username was free on github so attacker just created a new account with that username and used it to create the malicious PR.
zanecodes 14 days ago |
A signed commit can only prove that the owner of a key did make a particular commit, it can't prove that they didn't make a commit, for instance by using some other undisclosed key.
urda 4 days ago |
The replies and the lack-of-public-key-private-key understanding here are so bad it's not worth following up on any replies here. Literally have users hung up on "it's a username" instead of understanding what a signed commit is, and how you verify someone owns said key beyond "their username".