The 1st commit of git/git no longer belongs to Linus Torvalds
or how the GitNFT community found an exploit in GitHub ✨
It’s been a few months since we released the first version of 🔮GitNFT, a platform which allows open source software creators to mint NFTs of their commits on GitHub and sell them in the OpenSea marketplace as art. GitNFT is a tribute to the contributors who wrote the code that is at the backbone of our society and global economy, and a mechanism for OSS creators to engage with their fans and monetise their social capital. We believe that the open source monetisation problem can’t be fully solved through patrons and donations, so we challenged ourselves to reimagine a solution from the lenses of crypto, decentralised networks, and creator economies.
While bootstrapping our early community and incubating the project, we’ve been fortunate enough to amass a collection that now includes GitNFTs from MetaMask, Bitcoin, Homebrew, amongst several others. In doing so, we have had the privilege to learn from our early community and see how developers study, use, and (try to) hack our product. While we’ve benefited from most of these learnings, we were recently made aware of an exploit that allows anyone to claim public authorship of a particular set of open source commits. To make a point, @VanTudor (GitNFT’s lead developer) managed to assign git/git’s first commit on GitHub to himself (see image above). The purpose of this blogpost is to raise awareness of this issue amongst the community and with GitHub more specifically.
How did this all start? Last Saturday we received an unusual message in our Discord channel. A developer going under the name of @nbanmp shared a link to a GitNFT minted asset for Linus Torvald’s first commit of https://github.com/git/git titled Initial revision of “git”, the information manager from hell. We initially thought it was a joke, but to our surprise, the repo matched the URL of the original repository. After inspection we realised that @nbanmp had indeed managed to impersonate Linus and mint a GitNFT having as underlying the first git commit in the universe. When looking at our verification protocol we discovered an exploit on GitNFT’s side which, after further investigation, uncovered an even more serious glitch on GitHub’s side.
To understand what happened, we need to share a few more details about the way GitNFT works. By design, GitNFT will only let you mint NFTs of the commits you have authored (or co-authored). The GitHub identity of the author is verified through OAuth, while the authorship is validated by examining the commit response in the GitHub’s REST API. The response looks something like this.
In particular, note that there is authorship metadata in both commit.author and author. The former is the identity information added to the commit through git, and includes the name, email, and date of the author. The latter is the author’s identity through GitHub’s lens which, along with the author’s id, login, and pointers to the user’s social metadata.
The exploit from @nbanmp was possible because GitHub’s method of populating the author field is bogus. GitHub allows users to add email addresses to their account, but does not require the user to verify the email address. When the commits have a null author field (which is the case for the commits of popular repositories that pre-date the octocat), GitHub will populate author with the data of the latest account to have added that email address, regardless of whether the account is verified or not! As a result, @nbanmp managed to accidentally kill it as he eloquently described in his GitNFT, while @VanTudor was able to list himself as the creator of git!
This might seem like an innocent, insignificant glitch, but we think it is actually a big deal! Open source contributors don’t usually get compensated for their work, so ensuring that they get the credit they deserve is the least we can do. In open source, authorship attribution is an inalienable right — a right that should be guaranteed by the platform in charge of safeguarding the world’s open source code. We submitted a report to Github through HackerRank, but it was marked as closed after a couple of minutes. We hope that this matter gets enough attention and that GitHub helps ensure that the creation kudos go to the right persons — even if they’re not GitHub users!
How does it affect GitNFT? Certainly, our collection is now scarred by @nbanmp’s weird NFT. However, we see this imperfection as an enrichment to our collection because it immortalises the discovery of this exploit, and hopefully helps incentivise its resolution. The good news is, that GitNFT uniqueness is enforced by the author’s id on GitHub rather than the email, so if Linus ever wants to mint the real Initial revision of “git”, the information manager from hell he’ll be able to do so. GitNFT is still in incubation and a new version is on the way! If you’re a maintainer or open source contributor and are interested to fund your work through GitNFTs, we’d love to chat!
Kudos to Tudor, E.M. Ayovunefe, and the rest of the Quine team for their help in preparing this blogpost! — Written with ❤️ by Quine
