Linus Torvalds' GitHub README Prank and the Underlying Fake‑Commit Vulnerability
On January 25, Linus Torvalds posted a prank README on the Linux GitHub repository titled “delete linux because it sucks,” which exposed a “fake‑commit” vulnerability allowing arbitrary pages to be served via specially crafted URLs, highlighting ongoing security issues in GitHub’s handling of commits and email‑based impersonation.
On January 25, Linus Torvalds submitted a prank README file to the Linux GitHub repository with the provocative title “delete linux because it sucks,” claiming he had deleted Linux and recommending Windows XP.
The post is a joke; the Linux source code remains untouched, and the README does not appear in the commit history. The prank leverages a known “fake‑commit” vulnerability on GitHub that permits arbitrary content to be served via URLs such as https://github.com/my/project/blob/<faked_commit>/README.md without creating a real commit or branch.
Typical legitimate commit URLs contain the word “commit,” whereas the fake‑commit URLs omit this, making them hard to detect. Screenshots in the original article illustrate the malformed URLs and the absence of the README in the commit log.
The vulnerability was first disclosed in 2020, and GitHub has not treated it as a security issue. It can be combined with another GitHub flaw—email address impersonation—to create convincing phishing pages that appear to be authored by legitimate users.
Further details and discussion of the exploit can be found in the referenced Hacker News post and the GitHub bounty page on impersonating users through email addresses.
IT Services Circle
Delivering cutting-edge internet insights and practical learning resources. We're a passionate and principled IT media platform.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.