Want a free shirt? Spam Github!


Want a free shirt kids?

Go here to see what it's all about. I will recommend people participate in this, not to spam open source repositories, but because there's no system in place for checking if you just make a new github repository and make 4 valid but lame pull requests. It's literally a free shirt.

It's interesting that free shirts is an incentive that people will use to spam public FOSS repositories. I have my suspicions on what it should be considered. I would consider it(alongside Google Summer of Code) a mildly effective distributed denial of service attack. Distributed in many people making low quality pull requests. Denial of service by preventing quality pull requests being seen, discussed and merged. It may also deny service to the use of issues. For Free Open Source Software hosted over Github, this is not good. For hacker culture it sets a concerningly low bar, especially as hacker culture is commonly intrinsically motivated as opposed to extrinsically motivated by rewards. I will not be surprised if some genuine pull request gets marked as spam and invalid simply due to this spike.

Talking more on why this is interesting. By a search, we can see in a single day, over a thousand related issues have been made. I am expecting that some of these developers are unaware of where and why this surge in traffic has been experienced. The HTML Standard is subject to these troubles as well as the website for phpMyAdmin.

Now for the real meat and potatoes of this. This event proves that any corporation with the capital can initiate such an event and likely get away with it. In the case of digitalocean it is not strongly targeted towards any particular repository except those who willingly participate with a "digitalocean" issue tag. For political, or financial purposes, a company or corporation could very well target a specific set of repositories denying them service, at least over Github. How useful is this? Consider that one could target an essential service or nearly essential service that powers a lot of websites such as openssl. Although a fork exists call libressl, if this was timed appropiately, the backlash and fallout would not be insignificant. While I do not think it is the specific interests of any companies to behave in such a manner, I pose the example to demonstrate how it could be used as an attack on a particular repository.

So now I will present the solutions and fixes that remain available. Firstly I shall acknowledge that Digital Ocean are aware this is a problem, but their solution is akin to shrugging off the problem(as we have established, this is a denial of service problem).

At the very least, it must be said. From my perspective this has been the best joke I've seen in the last week. Some people were even making Pull requests on the 30th of September over this. This does prove however that Git in general is vulnerable to denial of service by poor or low quality pull requests. Further reading can be done at this blog post.