How Linus Torvalds Exposed a GitHub Fake‑Commit Vulnerability

On January 25, Linus Torvalds posted a README file to the Linux repository on GitHub with the provocative title "delete linux because it sucks". The file claims he hates Linux and recommends Windows XP, but the real purpose is to showcase a GitHub "fake‑commit" vulnerability.

The vulnerability allows an attacker to publish a README (or other file) via a specially crafted URL such as

https://github.com/my/project/blob/<faked_commit>/README.md

without the commit appearing in the repository’s history or any branch. The URL does not contain the word "commit", distinguishing it from normal commit URLs.

Linus’s README uses this technique, and the article includes screenshots of the malformed URL and the missing entry in the commit log, proving the file was never a real commit.

Further investigation links to a Hacker News discussion describing the fake‑commit flaw, which can be combined with another GitHub issue—impersonating a user via a forged git email address—to create convincing phishing pages.

Examples are shown where an email address in a repository URL is swapped (e.g., replacing slimsag with torvalds ), producing a repository that appears to be owned by Linus but lacks any activity record.

These GitHub vulnerabilities were disclosed publicly in 2020, yet GitHub has not addressed them, leaving them exploitable.

The article also notes that this is not Linus’s first criticism of Linux; he has previously complained about desktop Linux’s fragmented ecosystem and poor backward compatibility compared to Windows.

Source: https://www.sobyte.net/post/2022-01/linus-play-a-trick-of-github-vulnerability/