[ryanf323]

I look at GitHub profiles to help filter / disqualify candidates. Just last weekend, I had a marketing candidate who had stolen three Wordpress projects from their current employer and post them as public repos on their personal GitHub account. In addition to the flagrant intellectual property theft, the repos contained the wp-config.php file with exposed database “root” credentials to live, client sites.

[minimaxir]

> flagrant intellectual property theft

Granted, this seems like a case that's less malice and more adequately explained by stupidity.

[moonka]

Not sure either bodes well for hiring.

[sjellis]

I use GitHub accounts to provide context, after triaging CVs. The first sentence of the article mentions data aggregation, which is very far from how I use GitHub when evaluating technical candidates.

If you have already somebody's resume, GitHub provide clues and maybe a bit of evidence for your assessment of the candidate. Older, busy working software developer? Expect not many projects, possibly an intermittent commit history. Most GitHub projects are just unfinished exercises, so a workng project is unusual, and a clue that the candidate is also unusual. It's not scientific, but it's evidence that you can use, alongside the resume, and any communication with the candidate.

[MiddleEndian]

I know it's not really your responsibility but did you inform those sites and/or the candidate?

[ryanf323]

We did.

[whatyoucantsay]

Did you also report the employer's "theft", as you put it, of WordPress's GPL'd code?

[xref]

that's just...that's just not at all what GPL is

[whatyoucantsay]

The GPL is a license. If you don't abide by it, you don't get to download a copy of the software, sell it or create derivative works.

The history of WP itself enforcing the GP is instructive. More recently, Panasonic Avionics has been sued for $100M due to GPL violations.

[AstralStorm]

GPL does not force you to publish anything. But if you do publish a derivative work (including a binary) you must make sources available on request.

A WordPress-generated website is likely not a derivative work of WordPress source code. (Which is why Affero GPL exists.)

The further specifics depend on GPL version employed.

[paulie_a]

"if you see something, say something"

[cstrat]

Wow talk about a scummy thing to do to their employer. I am sure it will work for them before too... because not everyone would do their DD like you have.

[captain_perl]

FYI: WordPress.com requires plugins to be GPL for their public marketplace, so there may be nothing "flagrant" going on at all.

[letientai299]

Perhaps I misunderstood. But isn't Github help you filter out such candidates, is it? They have some big projects, but their contribution calandar should be almost empty, cuz all the code is pushed into Github at once.

[derimagia]

No one should look at the contribution calendar and hire based on it without looking more in depth. To answer your question it's based on commit time, but because of that you have things like: https://github.com/gelstudios/gitfiti

[letientai299]

To all the down-voters, let me rephrase my opinion again. I do take serious look on candidates Github profile, if they include that in their resume. And if they has some reasonable big projects, but they calendar seems empty, I will immediately think that the code is not belong to them. Perhaps that just forks, or, worse, that are stolen code.

I would also check they PR, issue and comments, to get some idea about how they work with stranger; what are important to them when they suggest ideas, contribute to existing code base; how they reply to critic or question from project owner, etc.

Also, just my opinion, most of us - software developers - can't live without OSS. We should contribute back when we could. That's why I usually prefer resume with a non empty Github profile than the others.

[hungerstrike]

I spent the majority of my time working on closed source.