Want a free shirt kids? #

I will recommend people participate in this, not to spam open source repositories, but because there's no system in place for checking if you just make a new github repository and make 4 valid but lame pull requests. It's literally a free shirt.

Go here to see what it's all about.

It's interesting that free shirts is an incentive that people will use to spam public FOSS repositories. I have my suspicions on what it should be considered. I would consider it(alongside Google Summer of Code) a mildly effective distributed denial of service attack. Distributed in many people making low quality pull requests. Denial of service by preventing quality pull requests being seen, discussed and merged. It may also deny service to the use of issues. For Free Open Source Software hosted over Github, this is not good. For hacker culture it sets a concerningly low bar, especially as hacker culture is commonly intrinsically motivated as opposed to extrinsically motivated by rewards. I will not be surprised if some genuine pull request gets marked as spam and invalid simply due to this spike.

Talking more on why this is interesting. By a search, we can see in a single day, over a thousand related issues have been made. I am expecting that some of these developers are unaware of where and why this surge in traffic has been experienced. The HTML Standard is subject to these troubles as well as the website for phpMyAdmin.

Thousands of Issues

HTML standard subject to troubles

phpMyAdmin subject to troubles

Now for the real meat and potatoes of this. This event proves that any corporation with the capital can initiate such an event and likely get away with it. In the case of digitalocean it is not strongly targeted towards any particular repository except those who willingly participate with a "digitalocean" issue tag. For political, or financial purposes, a company or corporation could very well target a specific set of repositories denying them service, at least over Github. How useful is this? Consider that one could target an essential service or nearly essential service that powers a lot of websites such as openssl. Although a fork exists call libressl, if this was timed appropiately, the backlash and fallout would not be insignificant. While I do not think it is the specific interests of any companies to behave in such a manner, I pose the example to demonstrate how it could be used as an attack on a particular repository.

So now I will present the solutions and fixes that remain available. Firstly I shall acknowledge that Digital Ocean are aware this is a problem, but their solution is akin to shrugging off the problem(as we have established, this is a denial of service problem).

• The first solution is one for an organisation such as Github, as Digital Ocean are reliant on their API. Simply deny them use of the API. This will by extension deny them the measures required to validate and invalidate whether a person is owed a reward, and would be a major problem for them to solve. The issue with this, is that it sets a dangerous precedent as such behaviour is not(to my knowledge) covered within the Github terms of service.
• The other option is to move away from Github and towards a different way of hosting git repositories. Either by owning and hosting a git server, or by using one of the many community made git services such as Gitlab. This is also not thoroughly effective, as Github is widely used as opposed to its alternatives. Such a change is similar to why the Linux kernel sees few new developers as the discussions take place within mailing lists.
• It is NOT a fix to email and complain about this to Digital Ocean. They have already expressed and established the extent to which they will go. Perhaps emailing Github may render a change, although it's unlikely.
• If you were considering making a low quality pull request, I would suggest you just make a public repository and cheat the 4 pull requests as their systems for checking and verifying and their bar for quality seems low.

At the very least, it must be said. From my perspective this has been the best joke I've seen in the last week. Some people were even making Pull requests on the 30th of September over this. This does prove however that Git in general is vulnerable to denial of service by poor or low quality pull requests.

Further reading can be done here.

Published on 2020/01/14