[anandoza]

Could someone also write bad code and commit it using someone else's email address in the commit message, thus making the commit link to the other person's Github profile? (Sort of the reverse problem -- "giving blame" instead of "taking credit")

[skeaker]

Now you're thinking like the author of git-blame-someone-else: https://github.com/jayphelps/git-blame-someone-else

[22c]

IIRC there was an infamous (at the time) user hostile commit made to a Google product (Android or Chrome perhaps) where the author was obfuscated to something like "Android Dev" instead of an actual individual.

[jsmith45]

Perhaps this commit?:

https://android.googlesource.com/platform/packages/apps/Glob...

Discussed in https://news.ycombinator.com/item?id=17487441

[TrianguloY]

Yes, simply change the email and author before commit and should work.

Note that git already provides a way to mark a commit with someone else authorship, but in that case you remain as the "original author" of the commit, usually shown as "X authored commit of Y". I sometimes use that when I need to push other coworkers code for whatever reason, or when you start a codebase from an old project files that weren't versioned (so that you are not the author of all the atrocities of the old code ;)

[klabb3]

Yes, but it isn't limited to non-verified emails, you can do it with verified emails as well. I assume it's already used to obscure deliberate security compromises in forks etc.

There are many practical impersonation vectors. I assume Github is gonna have to require signed commits for profile links in the medium term future.

[heleninboodler]

Or use it for clout-chasing by getting big names in your contributors list. :D