3

Recently, an 18-year-old novice submitted a PR (Pull Request, Pull Request) to the GitHub repository. As a result, an "@" turned GitHub into a "botnet" and sent harassing emails to nearly 400,000 developers. "Storm" has swept the open source circle.

One "@", 400,000 developers received 60 million+ emails

It is reported that the newbie, named Rohith Sreedharan, originally wanted to push a fake Pull request (submitting new code to UE) to the GitHub repository of the game company Epic Games to get some contribution history (trying to change 3 in the readme) word) to "practice your hands".

But in doing so, Rohith Sreedharan commented ("@") all developers associated with the Epic Games group, including joining the group to see Unreal Engine, in order to get his PRs merged as quickly as possible. (Unreal Engine) source code for anyone.

As a result, his "@EpicGames/developers" action triggered a reply-all event: an email notification about this PR was sent to all GitHub users who joined the Epic Games organization.

That said, Rohith Sreedharan mistakenly "@" all developers associated with the Epic Games group, anyone who joins the group to view the Unreal Engine source code.

As a result, the "@" caused some 400,000 developers using Unreal Engine to receive notification emails from GitHub regarding this pull request.

At the same time, this operation of Rohith Sreedharan also allows all these developers to subscribe to the comment thread of the Pull request - that is, as long as one of the 400,000 developers comments on Rohith Sreedharan's Pull request, this comment will also be reviewed. It was notified and sent to all members of other Epic Games organizations by email, resulting in an email "bombing" event.

The point is, the pull request submitted by Rohith Sreedharan and the developer found that there were many problems, which led to a large number of comments and corresponding email notifications. Unfortunately, the unsubscribe link in the email notification doesn't actually unsubscribe from the user's pull request, so many developers have received over 150 emails, and some have received as many as 200-400 emails .

That said, GitHub sent a total of 60 million+ emails that night.

With the continuous development of the "bombing" of the email, a developer finally found a way to unsubscribe from the Pull request - "There is an 'unsubscribe' button at the bottom of the right column, just above the participant list, click It ignores the flood of incoming notifications."

At this point, Epic Games also learned the ins and outs of the matter, and immediately locked the Pull request and closed its comment function, and finally ended this "farce".

GitHub email mechanism questioned

At present, this incident has been hotly discussed by a large number of developers in well-known communities such as reddit and Hacker News.

Among them, a developer named @TomSwirly on reddit expressed indignation at the incident, saying "I bet that among these 400,000 developers, many of them are beginners, if I am a beginner, I can easily Waste a lot of time trying to figure out what's going on." But "Go away, spammer, whoever you are."

In addition, a developer named @trag1c on linustechtips commented on this event and the "initiator" of the event - newbie Rohith Sreedharan:

"Honestly, I don't know whether to call this kid a 'legend' or a 'brain wreck' (probably both). Assuming the kid is trying to get a job in software development, it's possible that he has a school on Github Project or something, he probably thought he might make false promises to some projects, trying to say he contributed to some complex big projects like Unreal Engine. But he made a fatal mistake, "@" The whole organization, not just the person reviewing the Pull request...sadly, it probably won't help his career."

Another question worthy of attention is - "Why does GitHub allow email notifications to 400,000 people?"

According to developer @trag1c, "I really can't think of a good reason to allow @the whole organization in this way, and it's part of the problem with the way Epic hides the code. In order to view the Unreal code source, you have to join this thread on GitHub. A gaming organization would do, and of course that organization would allow you to be part of being flagged as an organization. But then the whole setup would be 'disaster' as you might be able to use GitHub to DDOS GitHub with such a setup.. ."

At the same time, many developers have also put forward suggestions that GitHub should optimize the mechanism to avoid such incidents from happening again. In response, Shay Frendt, senior director of engineering at GitHub, also responded by saying: "Sorry, our current system design has caused you to fall into this situation. We are working hard to release a patch to try to break the feedback loop you are all caught in."

Twitter apologizes: 'I was wrong, promise it won't happen again'

After the incident, the 18-year-old novice developer finally tweeted an apology on June 5:

“Am extremely sorry, I wasn't knowing that would be tagging a 400k members, Extremely sorry for the spam from whole heartedly, I Apologize to all the team including
@EpicGames
and
@github
, never expected this would happen, thanks for notifying me! I promise it won't happen again”

In a tweet, he expressed his apologies for this, saying that he did not know that this action would mark (@) about 400,000 members, sincerely apologize for the resulting spam "bombing" incident, and apologize to @EpicGames Games, @ All teams of github company apologize, "I didn't expect this, thank you for letting me know! I promise it won't happen again".

I believe that for the 18-year-old Rohith Sreedharan, the incident of "email bombing" nearly 400,000 developers will definitely teach him a lot.

At present, the popularity of this email "bombing" event is still fermenting on Twitter and major developer communities, and we will continue to pay attention to the issue of GitHub's optimization mechanism. If you have any views on this event, please leave a message in the comment area to interact.

Reference link: https://github.com/EpicGames/Signup/pull/24


MissD
955 声望40 粉丝