ReactOS Forum

The full history from SVN to GIT seems to be lost.

hbelusca wrote: ↑Mon Jan 21, 2019 6:26 pm Ok we know it's a dangling commit, since it is know that GitHub can keep dangling commits. The question is from where does it originate? Because if it was from guy's branch, it would not be in "reactos/reactos".
It may be possible to ask GitHub support to perform a "git gc" on the hosted repo in order to clear all that bullshit.

Maybe somebody once created a Pull Request from his branch, and the main repository fetched and stored that commit (even if the source PR has been closed).

You can always access commits from PRs by hash as if they are already in main repo, for example:

• https://github.com/reactos/reactos/comm ... e531f6a8a8
• https://github.com/reactos/reactos/comm ... e531f6a8a8

This is just how git works.

karlexceed wrote: ↑Mon Jan 21, 2019 10:22 pm The GitHub user implicated made two other commits on the same day with the same commit title, but different descriptions:
https://github.com/GreenteaOS/Greentea/ ... 632337cf15
https://github.com/GreenteaOS/Greentea/ ... 423f9c8782

But I can't find any evidence as to where the commit in question originated.

The commit is marked as 'Verified', which means it was signed, but that doesn't necessarily mean that it was the GreenTea contributor that did this. See: http://www.jayhuang.org/blog/tag/impersonating/

Literally anyone could have forked ReactOS and made this commit. Someone is definitely trying to stir things up.

Now he did adopt the CoC for his project which helps seed SJW stuff which tends to cause problems in open source projects. I'm wondering if that isn't the intent of some, extorting projects to adopt the CoC or be harassed out of existence. But we have no way of knowing at this time, and I am not assigning blame.

I agree that it might not even be the guy in question. If it is related to SJW stuff, any 3rd-party actor could be involved. Thank you for pointing that out.

Edit: I went back and edited my earlier post. I hope it is more acceptable.

EmuandCo wrote: ↑Mon Jan 21, 2019 5:22 pm @Quim, where did you get this blob link from? Don't tell me you used some random chars and picked a strange random blob by doing so. Someone gave this to you and I'd like to know who.
There is no code linkage to any of our commits, there is no commit access for that PeyTy and never will be due to the sources he uses and there is no Pull request committed by him either. Thus this whole thing smells fishy!

It was published in a Telegram group related to ReactOS (not ReactOS groups). I don`t remember which, because it just disappeared quickly.

I think it was a joke designed to test if it is possible to upload anything in ReactOS code and if you could realize it.

Oh, so more of a meme or a prank? I see. So it might not be directly connected to the other controversy, though it could have helped trigger it or have perhaps been inspired by it.

I'd call it defamation! If ppl think this is funny, they are free to come by and then I will show them how funny they are! Legal expenses insurance can be really funny though!

Quim wrote: ↑Tue Jan 22, 2019 1:11 pm It was published in a Telegram group related to ReactOS (not ReactOS groups). I don`t remember which, because it just disappeared quickly.

I think it was a joke designed to test if it is possible to upload anything in ReactOS code and if you could realize it.

It is still here, not disappeared.

Post was forwarded to spanish community group by Leo:

[ external image ]

The original author of the post is PeyTy (not big surprise):

[ external image ]

[ external image ]

karlexceed wrote: ↑Mon Jan 21, 2019 10:22 pmThe commit is marked as 'Verified', which means it was signed, but that doesn't necessarily mean that it was the GreenTea contributor that did this. See: http://www.jayhuang.org/blog/tag/impersonating/

Literally anyone could have forked ReactOS and made this commit. Someone is definitely trying to stir things up.

While anyone can make a commit under someone else's name and push it to GitHub, and it will appear as coming from the person detailed in the commit's metadata, it's unreasonable to suggest that a verified (i.e. signed with this user's key) commit came from someone else, unless you're suggesting that that person has left his key around for others to get their hands on and use. Since this commit was created around the same time as other commits this user made, I'd suggest that the simplest case (this user made the commit) is the most likely.

binarymaster wrote: ↑Tue Jan 22, 2019 10:22 amMaybe somebody once created a Pull Request from his branch, and the main repository fetched and stored that commit (even if the source PR has been closed).

No need to create a pull request, just push it to a repository that is a fork of the main repository and the commit id can be used to access it from a url that looks like it's part of the main repository, or that of any other repository forked from the same main repository.

PurpleGurl wrote: ↑Tue Jan 22, 2019 11:58 amNow he did adopt the CoC for his project which helps seed SJW stuff which tends to cause problems in open source projects. I'm wondering if that isn't the intent of some, extorting projects to adopt the CoC or be harassed out of existence. But we have no way of knowing at this time, and I am not assigning blame.

I agree that it might not even be the guy in question. If it is related to SJW stuff, any 3rd-party actor could be involved. Thank you for pointing that out.

It seems pretty obvious that this has nothing to do with their CoC, and/or "SJW" stuff, and more to do with the ReactOS Project's stance on not accepting 'possibly tainted' contributions, and the likelyhood of a third party actor doing this is greatly diminished by the fact that the commit is verified.

EmuandCo wrote: ↑Tue Jan 22, 2019 5:53 pmI'd call it defamation! If ppl think this is funny, they are free to come by and then I will show them how funny they are! Legal expenses insurance can be really funny though!

I doubt you could make a legal case out of this unless you could prove that someone actively used it to publicly slander the ReactOS Project, but it's good to check into it and be ready, just in case.

justincase wrote: ↑Tue Jan 22, 2019 9:01 pm While anyone can make a commit under someone else's name and push it to GitHub, and it will appear as coming from the person detailed in the commit's metadata, it's unreasonable to suggest that a verified (i.e. signed with this user's key) commit came from someone else, unless you're suggesting that that person has left his key around for others to get their hands on and use.

Did you read the article I linked?

I was able to push code to GitHub as Linus Torvalds...
While I was using my own SSH key to push to a repository that only I was allowed to push to, GitHub showed ‘me’ as ‘Linus’...
What’s more, clicking on the author of that commit takes you to Linus’ GitHub profile...
All I had done was setup git with my SSH key for Github, then changed my git user.email to the same email that is being linked to Linus’ account: torvalds@linux-foundation.org (note that this is publicly available).

Yes, and while you can push any commits you want, using whatever key you want, it won't show up as verified unless the commit was signed with the key that's registered to that user. It's a very well known bug/feature, and it's not as broken as you seem to think.
github.blog/2016-04-05-gpg-signature-verification

@binarymaster: Good work finding that.

justincase wrote: ↑Tue Jan 22, 2019 9:30 pm signed with the key that's registered to that user.

I'm just working from the information I have. That article is 5 years old now, and you're correct - Github now appears to require that the key be associated with the user's verified email.

It's still the case that if a user's Github credentials are stolen, a new key can be generated with those credentials. You don't necessarily need to have access to an existing private key to sign commits as them.

But I also agree with you that the simplest explanation is usually the correct one.

Since I checked, I will point out - the key ID that was used to sign the commit we're talking about matches with other verified commits from the same user. GPG key ID: 4AEE18F83AFDEB23

I think I was misunderstood above. I didn't say that the CoC and SJW were issues with us. I was thinking that if the leader of GreenTea OS was involved, the fact that he has the CoC for his project could be a motive to discredit us since we don't have that, and SJW types will sometimes use misdirects and even frame others. I never mentioned us having an issue.

So while it may seem like our stance on tainted code sparked things off (a reactionary/defensive stance by the GreenTea OS leader and/or recent blogger), there's just as much possibility that it is an offensive move by a 3rd party to try to promote an agenda. Or the 3rd option, that it was a prank/gag/meme. Memesters can also be politically motivated. Or it could be a combination or all of the above. Regardless, we have no proof, just 3-5 theories, and thus should not accuse.

As for verified, I don't believe that as it did not originate with this project. The origin of the extraneous commits are unclear. So yes, a third party person could use this same hash across projects to make it appear to be a part of another project. So these lines could be in GreenTeaOS and passed off as ours due to the hash trick. The fact that you get this using the hash even if you use .md (text) files shows that anyone can use the hash trick to frame someone.

Just saw PeyTy in mattermost and asked about it.
It may have been in poor taste, but according to PeyTy it was meant only as a joke:
[ external image ]

Now can we stop with the crazy theories.

Hello! I confirm that it is not related to any SJW/whatever or ReactOS hate (I don't like SJWs too, but CoC concept seems to be a nice thing to keep people friendly).

Due to how easily to make fake commits, you probably should fill a wiki page about it, dunno when GitHub will fix this (if ever).

This is where the thing originated: https://twitter.com/andy_kelley/status/ ... 9252648960

It could be not me joking around, but some other guy with intention to harm ReactOS. Be prepared. Sorry it made a mess.

Thanks for the explanation. LOL!

No, I don't think GitHub will fix this as they regard it as a feature. It has been brought to their attention and it is currently in the "Won't fix" category.