Attributing Open-Source Contributions is Critical but Difficult: A Systematic Analysis of GitHub Practices and Their Impact on Software Supply Chain Security

Jan-Ulrich Holtgrave; Kay Friedrich; Fabian Fischer; Nicolas Huaman; Niklas Busch; Jan H. Klemmer; Marcel Fourné; Oliver Wiese; Dominik Wermke; Sascha Fahl

Attributing Open-Source Contributions is Critical but Difficult: A Systematic Analysis of GitHub Practices and Their Impact on Software Supply Chain Security

Jan-Ulrich Holtgrave, Kay Friedrich, Fabian Fischer, Nicolas Huaman, Niklas Busch, Jan H. Klemmer, Marcel Fourné, Oliver Wiese, Dominik Wermke and Sascha Fahl.
Network and Distributed System Security (NDSS) Symposium 2025, February 24-28, 2025

PDF Abstract Cite

Abstract

Critical open-source projects form the basis of many large software systems. They provide trusted and extensible implementations of important functionality for cryptography, compatibility, and security. Verifying commit authorship authenticity in open-source projects is essential and challenging. Git users can freely configure author details such as names and email addresses. Platforms like GitHub use such information to generate profile links to user accounts. We demonstrate three attack scenarios malicious actors can use to manipulate projects and profiles on GitHub to appear trustworthy. We designed a mixed-research study to assess the effect on critical open-source software projects and evaluated countermeasures. First, we conducted a large-scale measurement among 50,328 critical open-source projects on GitHub and demonstrated that contribution workflows can be abused in 85.9% of the projects. We identified 573,043 email addresses that a malicious actor can claim to hijack historic contributions and improve the trustworthiness of their accounts. When looking at commit signing as a countermeasure, we found that the majority of users (95.4%) never signed a commit, and for the majority of projects (72.1%), no commit was ever signed. In contrast, only 2.0% of the users signed all their commits, and for 0.2% of the projects all commits were signed. Commit signing is not associated with projects’ programming languages, topics, or other security measures. Second, we analyzed online security advice to explore the awareness of contributor spoofing and identify recommended countermeasures. Most documents exhibit awareness of the simple spoofing technique via Git commits but no awareness of problems with GitHub’s handling of email addresses.

Reference

@inproceedings{conf/ndss/holtgrave25,
 author = {Jan-Ulrich Holtgrave and 
Kay Friedrich and 
Fabian Fischer and 
Nicolas Huaman and 
Niklas Busch and 
Jan H. Klemmer and 
Marcel Fourné and 
Oliver Wiese and 
Dominik Wermke and 
Sascha Fahl},
 booktitle = {Network and Distributed System Security (NDSS) Symposium 2025, February 24-28, 2025},
 month = {February},
 publisher = {Internet Society},
 title = {Attributing Open-Source Contributions is Critical but Difficult: A Systematic Analysis of GitHub Practices and Their Impact on Software Supply Chain Security},
 year = {2025}
}