https://www.baszerr.eu/ Wed, 06 May 2026 07:55:44 +0000 FeedCreator 1.8 https://www.baszerr.eu/lib/exe/fetch.php?media=wiki:dokuwiki.svg https://www.baszerr.eu/ https://www.baszerr.eu/doku.php?id=blog:2023:06:06:2023-06-06_-_github_personal_readme <h1 class="sectionedit1" id="github_personal_readme">2023-06-06 - github personal readme</h1> <div class="level1"> <p> recently i&#039;ve listened to <a href="https://darknetdiaries.com/episode/133/" class="urlextern" title="https://darknetdiaries.com/episode/133/" rel="ugc nofollow">i&#039;m the real Connor</a> episode of <a href="https://darknetdiaries.com" class="urlextern" title="https://darknetdiaries.com" rel="ugc nofollow">darknet diaries</a>. <abbr title="Too long; didn&#039;t read">TL;DR</abbr> version is that guy found himself in a situation, where his (very reach) github profile was used by a different person, to get to a job interview (i.e. “look at all my great work” – except it was some1 else&#039;s profile). </p> <p> it got me into thinking – how could it be prevented? obviously HR person could just ask for a specific commit on a private repo, shared with this person. this way it can be proven that the person has R/W access there. a bit of a fuss for both sides, but doable. is there any passive way? </p> <p> how would u then warn recruiter… or in fact – any other person that want to verify you is you? what crossed my mind is GPG keys (that i use for year now) and a github note, clearly visible on a main profile. turns out github allows to add private notes, that are always visible on the main page. it&#039;s just a bit “hidden feature”, as one <a href="https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/managing-your-profile-readme#adding-a-profile-readme" class="urlextern" title="https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/managing-your-profile-readme#adding-a-profile-readme" rel="ugc nofollow">must create a repo, named the same as the account, and put a README.md there</a>. once done profile looks like this: </p> <p> <a href="https://www.baszerr.eu/lib/exe/detail.php?id=blog%3A2023%3A06%3A06%3A2023-06-06_-_github_personal_readme&amp;media=blog:2023:06:06:gh_prfile.png" class="media" title="blog:2023:06:06:gh_prfile.png"><img src="https://www.baszerr.eu/lib/exe/fetch.php?w=600&amp;tok=594067&amp;media=blog:2023:06:06:gh_prfile.png" class="media" loading="lazy" title="my github profile note" alt="my github profile note" width="600" /></a> </p> <p> now this is loud and clear warning, for other side to detect sth is fishy (eg. unsigned e-mail, or e-mail signed with a different key). it&#039;s also verifiable w/o owner being actively involved. last, but not least – it just looks nice. :) </p> <p> you might have noticed i&#039;ve also mention commits are being signed, too. that&#039;s another topic. supply chain attacks are getting more and more common in <abbr title="Free &amp; Open-Source Software">FOSS</abbr> world. possible attack vector here is: account being taken over. if this happens, how can users tell if commit / release is legit? again – GPG comes to a rescue. with each genuine commit being signed, it&#039;s easier for others to spot a problem and rise alarm. </p> </div> anonymous@undisclosed.example.com (Anonymous) Tue, 06 Jun 2023 18:34:51 +0000