GitHub's Source Code Was Leaked on GitHub Last Night... Sort of
upstart writes in with an IRC submission:
GitHub's source code was leaked on GitHub last night... sort of:
Last night, developer and privacy activist Resynth1943 announced that GitHub's source code had been leaked on GitHub itself, in GitHub's own DMCA repository. It's going to take some unpacking to talk about that, but first things first-this isn't as big a deal as it might sound like.
GitHub Enterprise Server != GitHub.com
Shortly after Resynth1943-who seems to have broken the news and described the code as having "just been leaked" by an unknown individual-reshared the announcement on Hacker News, GitHub CEO Nat Friedman showed up at HN to provide some context.
According to Friedman, the upload in question was actually of GitHub Enterprise Server, not the GitHub website itself. While the two share a considerable volume of code, the distinction is significant. Part of that significance is that GitHub itself was not actually hacked.
While neither GitHub nor GitHub Enterprise Server are open source code, GitHub Enterprise Server source code is routinely shipped to customers, though usually in a stripped-down and obfuscated format. According to Friedman, GitHub accidentally supplied some customers a complete and non-obfuscated tarball of GHES a couple of months ago; this is the code which was dumped into GitHub's public DMCA repository.
[...] On the plus side, there's no actual compromise here. The source code was freely, if accidentally, given to customers-not exfiltrated from a compromised server. Similarly, Friedman didn't lose control of his own account, and GitHub didn't lose control of its DMCA repository. In Friedman's own rather flippant words on Hacker News, "everything is fine, situation normal, the lark is on the wing, the snail is on the thorn, and all's right with the world."
Although all of the shenanigans documented here are within expectations-if you want to verify your identity, you should sign your commits with a GPG key-those expectations themselves are, perhaps, much lower than they should be. Managing GPG is still onerous enough to serve as a significant barrier to entry for many developers. More importantly, GitHub doesn't offer any controls to emphasize the presence-or lack-of such signatures.
Read more of this story at SoylentNews.