Credit: Lucas Gouveia/How-To Geek
Sign in to your How-To Geek account
Open-source projects are a critical part of every operating system out there, and plenty of software is either open-source or relies on open-source projects to work. But what happens when those projects are compromised by a malicious actor? GitHub is taking steps to prevent just that.
Normally, when you upload a project to GitHub you’re free to make revisions to that code at any time. In many cases, that makes sense—something that is under active development will usually need to be updated, adjusted, and debugged over time.
However, that ability to update code after it has been placed in a repository also presents a tempting attack vector for a malicious actor. If they can compromise the account of whoever owns …
Credit: Lucas Gouveia/How-To Geek
Sign in to your How-To Geek account
Open-source projects are a critical part of every operating system out there, and plenty of software is either open-source or relies on open-source projects to work. But what happens when those projects are compromised by a malicious actor? GitHub is taking steps to prevent just that.
Normally, when you upload a project to GitHub you’re free to make revisions to that code at any time. In many cases, that makes sense—something that is under active development will usually need to be updated, adjusted, and debugged over time.
However, that ability to update code after it has been placed in a repository also presents a tempting attack vector for a malicious actor. If they can compromise the account of whoever owns the repository (or anyone else that is allowed to push changes), they can replace the legitimate existing code with something that contains malware, or an exploitable security vulnerability.
It isn’t a purely theoretical concern either. The owners of popular projects on GitHub are attractive targets for malicious actors, and they are sometimes compromised. It happens relatively frequently to smaller GitHub projects that are popular in niche communities. If those projects are then incorporated into other projects, everything “downstream” of the original project could be compromised.
If this were to happen to a project that is incorporated into an operating system, it could affect millions or even billions of people.
So, how do you prevent that from happening?
You’ll never create a fool-proof way to prevent hackers from gaining access to someone’s account—social engineering will always work, if nothing else. Instead, GitHub has chosen to focus on the code itself by making it immutable.
That means that once code has been uploaded to GitHub and the immutable feature turned on, no one, not even the owner, can come back and steathily make a change later. It also provides a way for users to manually verify that the code they download matches what the original code was, just in case. That means that even if someone gets complete control over the repository owner’s account, they won’t be able to add, modify, or delete existing code for their own nefarious purposes.
It is an excellent addition, and one that will make big, open-source projects more secure going in to the future, assuming people bother to enable it.