GitHub Hacked

MrSeb writes "Over the weekend, developer Egor Homakov exploited a gaping vulnerability in GitHub that allowed him (or anyone else with basic hacker know-how) to gain administrator access to projects such as Ruby on Rails, Linux, and millions of others. GitHub uses the Ruby on Rails application framework, and Rails has been weak to what's known as a mass-assignment vulnerability for years. Basically, Homakov exploited this vulnerability to add his public key to the Rails project on GitHub, which then meant that GitHub identified him as an administrator of the project. From here, he could effectively do anything, including deleting the entire project from the web; instead, he posted a fairly comical commit. GitHub summarily suspended Homakov, fixed the hole, and, after 'reviewing his activity,' he has been reinstated. Homakov could've gained administrative access to the master branch of any project on GitHub and deleted the history, committed junk, or closed or opened tracker tickets."

Re:Linux security or trust

Nice FUD you got there. Be a shame if anything were to happen to it...

Every patch added to the Linux kernel is (and always has been) reviewed, scrutinized, tested, and prodded by some of the best system programmers in the world. And there's an informal web of trust in place as well. Joe Random Hacker can't just pop up one day and toss a patch over the fence and get it accepted into the mainline kernel. Linus does not accept code from a developer who doesn't have some kind of track record in the community. (Or one who isn't sponsored/mentored by the same.) It's not fool proof (we still have occasional bugs and security vulnerabilities), but it has worked quite effectively for 20 years.

Also, github is not where the main kernel development happens.

Finally, since it's impossible to add something to a git repository without it appearing in the logs (regardless of the github website's security flaws), it would be trivial to simply revert a questionable patch.