risingthumb.xyz Bringing the pain to an already pained web

Want a free shirt kids?

=> Go here to see what it's all about.

I will recommend people participate in this, not to spam open source repositories, but because there's no system in place for checking if you just make a new github repository and make 4 valid but lame pull requests. It's literally a free shirt.

It's interesting that free shirts is an incentive that people will use to spam public FOSS repositories. I have my suspicions on what it should be considered. I would consider it(alongside Google Summer of Code) a mildly effective distributed denial of service attack. Distributed in many people making low quality pull requests. Denial of service by preventing quality pull requests being seen, discussed and merged. It may also deny service to the use of issues. For Free Open Source Software hosted over Github, this is not good. For hacker culture it sets a concerningly low bar, especially as hacker culture is commonly intrinsically motivated as opposed to extrinsically motivated by rewards. I will not be surprised if some genuine pull request gets marked as spam and invalid simply due to this spike.

Talking more on why this is interesting. By a search, we can see in a single day, over a thousand related issues have been made. I am expecting that some of these developers are unaware of where and why this surge in traffic has been experienced. The HTML Standard is subject to these troubles as well as the website for phpMyAdmin.

=> Thousands of Issues
=> HTML standard subject to troubles
=> phpMyAdmin subject to troubles

Now for the real meat and potatoes of this. This event proves that any corporation with the capital can initiate such an event and likely get away with it. In the case of digitalocean it is not strongly targeted towards any particular repository except those who willingly participate with a "digitalocean" issue tag. For political, or financial purposes, a company or corporation could very well target a specific set of repositories denying them service, at least over Github. How useful is this? Consider that one could target an essential service or nearly essential service that powers a lot of websites such as openssl. Although a fork exists call libressl, if this was timed appropiately, the backlash and fallout would not be insignificant. While I do not think it is the specific interests of any companies to behave in such a manner, I pose the example to demonstrate how it could be used as an attack on a particular repository.

So now I will present the solutions and fixes that remain available. Firstly I shall acknowledge that Digital Ocean are aware this is a problem, but their solution is akin to shrugging off the problem(as we have established, this is a denial of service problem).

- The first solution is one for an organisation such as Github, as Digital Ocean are reliant on their API. Simply deny them use of the API. This will by extension deny them the measures required to validate and invalidate whether a person is owed a reward, and would be a major problem for them to solve. The issue with this, is that it sets a dangerous precedent as such behaviour is not(to my knowledge) covered within the Github terms of service.

- The other option is to move away from Github and towards a different way of hosting git repositories. Either by owning and hosting a git server, or by using one of the many community made git services such as Gitlab. This is also not thoroughly effective, as Github is widely used as opposed to its alternatives. Such a change is similar to why the Linux kernel sees few new developers as the discussions take place within mailing lists.

- It is NOT a fix to email and complain about this to Digital Ocean. They have already expressed and established the extent to which they will go. Perhaps emailing Github may render a change, although it's unlikely.

- If you were considering making a low quality pull request, I would suggest you just make a public repository and cheat the 4 pull requests as their systems for checking and verifying and their bar for quality seems low.

At the very least, it must be said. From my perspective this has been the best joke I've seen in the last week. Some people were even making Pull requests on the 30th of September over this. This does prove however that Git in general is vulnerable to denial of service by poor or low quality pull requests.

=> Further reading can be done here.

To post a comment you need to login first.

Articles from blogs I follow around the net


pt. i pt. ii

via I'm not really Stanley Lieber. September 17, 2021

Status update, September 2021

It’s a quiet, foggy morning here in Amsterdam, and here with my fresh mug of coffee and a cuddly cat in my lap, I’d like to share the latest news on my FOSS efforts with you. Grab yourself a warm drink and a cat of your own and let’s get started. First, a new…

via Drew DeVault's blog September 15, 2021

Help Archive Team Archive public Google Drive files before September 13!

On September 13, Google is going to start requiring longer URLs to access many Google Drive files, breaking links to public files across the web unless users opt out! Because…

via Data Horde September 11, 2021

Generated by openring