Nov 05, 2020 08:00:00

How to create a 'poison repository' that freezes your account when published on GitHub

by

Nick Quaranto

The original repository of the video downloader ' youtube-dl ' released on GitHub has been deleted at the request of the Recording Industry Association of America (RIAA), but it is being mirrored by volunteers in various places. Engineer Joey Hess has published a way to take advantage of GitHub's move towards such mirroring activities and create a dangerous repository that freezes accounts when published to GitHub.

how to publish git repos that cannot be republished to github
http://joeyh.name/blog/entry/how_to_publish_git_repos_that_cannot_be_republished_to_github/

How to publish Git repos that cannot be republished to GitHub | Hacker News
https://news.ycombinator.com/item?id=24974208

Journalists and developers in the open source community strongly oppose the deletion of youtube-dl repositories. Nat Friedman, CEO of GitHub, also expressed his intention to 'revive the repository as soon as possible' in the IRC chat where developers gathered, but on GitHub, many repositories that mirrored youtube-dl were created by volunteers. It was a situation that was out of control.

GitHub CEO moves towards repositories of 'youtube-dl' deleted --GIGAZINE

In response to this situation, the

DMCA policy on GitHub was revised on November 1, 2020. The revised policy states, 'Please note that re-uploading the exact same content that was deleted violates GitHub's DMCA policy and terms of use. Content that violates the terms of use. If you post to this repository, we may delete its content and suspend access to your account. '

Hess speculates from this policy revision that 'if you publish content on GitHub that contains a specific commit hash value, you will be subject to account freezes.' Based on that speculation, Hess explains how to put 'poison' into his own hosted git repository.

The method is simple: add the illegal repository as

a submodule to your repository, delete the '.gitmodules' file and commit. Then delete the submodule directory as well and commit again. Then, while deleting the '.gitmodules' file and the submodule directory, only the commit hash value of the illegal repository can be left. If a third party pushes this repository to GitHub, the account will be frozen.

There is even a shell script to create a 'poison repository' in your local git repository.

[code] #! / bin / sh
printf 'Enter the url of the illegal repo, Citizen:'
read wha
git submodule add '$ wha' wha
git rm .gitmodules
git commit -m wha
git rm wha
git commit -m wha [/ code]

In fact, it seems unlikely that your account will be frozen this way, and this 'poison repository' is Hess' humor for youtube-dl mirroring proliferation.