Hacker News new | ask | show | jobs
by anglinb 1571 days ago
I worked on the security team at GitHub, this was a long standing part of how git works. GitHub allows users to verify commits via GPG signatures to prove that they committed something but it doesn't work for proving a negative, that you did not commit something.

We got so many of these submissions which are clearly called out in the rules/scope, usually the people who don't read the rules don't find anything useful. ¯\_(ツ)_/¯
1 comments
vgel 1571 days ago
Obviously anyone can attach any email to any commit, but why does the frontend UI work like this:

    gh_profile = get_profile_with_email(commit_email)
and not this?

    gh_profile = get_profile_with_email(commit_email)
    if not gh_profile.has_verified_email_ownership(commit_email):
      return null
link