It's a bit worrying that GitHub will happily associate someone's face on a commit that they didn't write: https://github.com/jayphelps/git-blame-someone-else/commit/e...

Perhaps GitHub should only do this for signed commits or commits to the author's own repository or something.

GitHub also allows you to add anyone to a project without their consent (or has this changed?). This reminds me of the Facebook prank where someone added Mark Zuckerberg to a fake(?) pro-paedophile group.

Agreed.

It should be trivial for them to allow you to paste your pgp public key as you would your ssh public key, then place a nice little "verified" check mark next to commits that can be validated as having been signed with one of your associated private keys.

There are so many things that GitHub could easily do, but don't... Makes me wonder what they actually do.

You mean besides developing and operating one of the best services on the web?

Well, yeah. It is a good service. They've contributed good stuff to Git core, too.

I really wonder what they do. I have some complicated feelings about them, also, that has to do with them becoming the central hub for open source.

Like, if the product itself were open source, it might be more obvious what they are working on. But I can't demand that kind of transparency... It would just be interesting to know.

With almost 500 employees, what happens? I've never even worked at such a large company myself.

Should GitHub users have some say in what the company builds? I mean, we're promoting them like hell, and the social network is a huge part of their value.

I often wonder what well-funded large product companies do with all their manpower. Feature development doesn't seem to scale. Nor innovative design. GitHub's mobile layout is pretty crippled. I dunno. Just curious.

Best in what sense? Bitbucket does everything Github does, plus gives free private repos. GitHub is just more widely used.

But Bitbucket is fricken awful though. I think I have an allergy to everything designed by Atlassian

Bitbucket crashes minimal browsers like Surf and github doesn't. So, in that regard, Github is better.

It seems odd to blame BitBucket and not Surf for this.

Interesting, didn't know that. But it seems easily fixable for BB and probably doesn't drive much of the difference in popularity.

Is there anyway to search bitbucket? Can I link my profile to someone so they can see all my projects? I'm only dimly aware of bitbucket, but if these criteria are easily met then I might even consider changing over.

i don't use bitbucket so can't comment if they provide this. but github has a nice hack allowing you to svn checkout a portion of a tree

on a slow connection, this allows you to work on or inspect repos that are too large to git clone (one of the few major complaints i have with git itself)

Best as in market share, but certainly not best by it's own merits. (ie there is better git management software)

Well maintaining software and infrastructure is one thing. But they also seem to lack features compared to the competition. They might want to quickly sort their management issues out and be more agressive feature-wise.

They are carrying the torch for rectifying social injustices, apparently. Oh, and selling out for the enterprise big-bucks.

If you can sell them on it as an important enterprise feature, they might implement something. :)

Alternatively, they could provide some sort of on-page indication of a credentials/e-mail mismatch, i.e. detect and publicly report when the HTTPS/SSH credentials used for a `git push` aren't associated with a verified e-mail address matching the commit's `user.email`.

I reported this issue a long time ago to their security team, and got a really condescending "we're a collaborative community, it's not a problem, you obviously don't understand" type of response. Pretty frustrating.

But isn't it somewhat reasonable that I push someone else's commit? Say I want to rewrite an old commit, and then force push that, then all the commits after the rewritten commit by other people would effectively be pushed by me.

Or consider the common case where the public repository on Github is just a mirror of an official repository somewhere else -- then commits from a bunch of people would all be pushed by whoever is responsible for keeping the repos in sync.

But maybe Github could just add some kind of a "pushed by" label that identifies the Github user who pushed the commit?

> But isn't it somewhat reasonable that I push someone else's commit? Say I want to rewrite an old commit, and then force push that, then all the commits after the rewritten commit by other people would effectively be pushed by me.

Even worse: rebasing (what rewriting an old commit actually does) changes all SHA hashes of the following commits, thus breaking existing PGP signatures on the commits. There should be two signatures... one for the patch+comment, one for the history.

They do have a "committed by" feature that appears when you cherry-pick someone else's commit to a branch.

It shows up as "Bob committed with Alice".

I've only noticed it showing up for cherry-picks, I'm unsure if that's the only place it's used.

They show that if the git commit has differing author and committed fields (It shows up when I reorder and squash commits on branches before merging).

All one has to do to make it go away is change the committer field on the git, this isn't security added by GitHub.

Yeah, the "pushed by" indicator would be a great idea IMO.

Worrying and potentially libelous. Some countries (e.g. UK) have strict libel law, and by using this you could get Github in trouble for publishing libelous material.

Of course, this has always been possible with git.

Though since GitHub does not have an office in the UK and in the US is protected from foreign defamation judgements under the SPEECH Act, it probably doesn't have much to worry about.

Just wait until they want to take advantage of Ireland's favourable tax regime. Ireland also has strict libel/defamation laws.

I actually just noticed this yesterday when realizing that some commits to my personal repository on an unrelated-to-work project had my work account's username and picture, even though I used by personal account key. I guess this uses the global email and name settings, and github matches the picture. I got a bit worried that this stuff would start appearing on my work organization's timeline.

Back when I was first learning to use git, I accidentally pushed a commit to my repo as the author of a set of dotfiles I'd cloned. It was a bit mortifying.

One of my coworkers did the same thing years ago, and he still takes flak for it.

I'm actually surprised that git doesn't sign commits by default. (i.e. I had assumed that it did.)

It already has the keys set up and such.

No it doesn't. Git works independently of SSH.

Oh.

Oops. Thanks for the correction.