The whole point if git is decentralized, it's just not doing it in a BitTorrent style DHT internet protocol (yes there are ways of connecting git this way).
Git is a way to keep files organized and revisioned across many connected or disconnected computers. It literally was designed to allow software development between teams and individuals that have no centralized organization and via any file-copy medium available including thumb drives. It was essentially an upgrade to managing software codebases with zip and patch files, which worked adequately for many decades. After Linus had some experience with a centralized VCS, but was still distributing his software in zip (tar.gz) files, he decided to write his own VCS so the community wasn't dependent on the existence of one corporation. He sat down and outlined a basic set of requirements for a VCS software that would do what he needed. Interestingly bitcoin's first revision was stored in git, and git was used to coordinate and secure the codebase around the world. You can go back to this first commit in the bitcoin-core repository and see what the first alpha version looked like.
There may have been individual cases where there was SOL stolen as a result of this github problem, but this person asserts that the hacks affecting Solana are unrelated to the github problem:
Lastly, the “malicious github” thread, the rust trojan horse, and the malicious pizza delivery guy theories are all false.
Going forward, plz do not jump to conclusions or believe everything you read. As we figure out what is happening, people like:
I keep my stuff at a gitea instance. I do use dependencies but I do not host them. I use mainly Go. I guess with JS is more complicated. But that may not work for other people / businesses. I fail to see why my claim was bullshit.
Hard to conclude that this is directly related to the solana private key leaks. Nevertheless, you should rotate your application secrets if you used any of the fake libraries on GitHub.
Always use rotating secrets if you can and vet the libraries you use.
The link for this post uses a read-only front-end for Twitter, which can be easier to read for viewing a full Twitter thread. The Tweet that kicked off the thread is:
I am uncovering what seems to be a massive widespread malware attack on @github.
Currently over 35k hits [Corrected later in the thread from repositories to hits].
So far found in projects including: crypto, golang, python, js, bash, docker, k8s
It is added to npm scripts, docker images and install docs
Did you guys know that Git can be used without a central Github/Gitlab server?
Indeed it always could, it was one of the very early features to be used decentralized in p2p.
The whole point if git is decentralized, it's just not doing it in a BitTorrent style DHT internet protocol (yes there are ways of connecting git this way).
Git is a way to keep files organized and revisioned across many connected or disconnected computers. It literally was designed to allow software development between teams and individuals that have no centralized organization and via any file-copy medium available including thumb drives. It was essentially an upgrade to managing software codebases with zip and patch files, which worked adequately for many decades. After Linus had some experience with a centralized VCS, but was still distributing his software in zip (tar.gz) files, he decided to write his own VCS so the community wasn't dependent on the existence of one corporation. He sat down and outlined a basic set of requirements for a VCS software that would do what he needed.
Interestingly bitcoin's first revision was stored in git, and git was used to coordinate and secure the codebase around the world. You can go back to this first commit in the bitcoin-core repository and see what the first alpha version looked like.
Could this possibly be related to the Solana hack?
There may have been individual cases where there was SOL stolen as a result of this github problem, but this person asserts that the hacks affecting Solana are unrelated to the github problem:
https://twitter.com/HelpedHope/status/1554812889168478208
https://nitter.net/HelpedHope/status/1554812889168478208
Another reason why I self host all my stuff. I use gitea on my umbrel node.
Bullshit claim, you really fork and host every dependency you have? Have you read the thread?
I keep my stuff at a gitea instance. I do use dependencies but I do not host them. I use mainly Go. I guess with JS is more complicated.
But that may not work for other people / businesses.
I fail to see why my claim was bullshit.
https://twitter.com/stephenlacy/status/1554697083331891201
https://nitter.it/stephenlacy/status/1554697083331891201
https://twitter.com/lxjhk/status/1554727870244605952
https://nitter.it/lxjhk/status/1554727870244605952
https://twitter.com/TwitchiH/status/1554725705438601216
https://nitter.net/TwitchiH/status/1554725705438601216
https://twitter.com/wtogami/status/1554716537323302912
https://nitter.it/wtogami/status/1554716537323302912
UPDATE
https://twitter.com/GitHubSecurity/status/1554843443200806913
https://nitter.it/GitHubSecurity/status/1554843443200806913
The link for this post uses a read-only front-end for Twitter, which can be easier to read for viewing a full Twitter thread. The Tweet that kicked off the thread is:
view on twitter.comhttps://nitter.it/stephenlacy/status/1554697077430505473