Today in the community, I saw a rumor saying that Linus Torvalds participated in the $zailgo project and included a github link https://github.com/notwedtm/zailgo.

Seeing this message surprised me quite a bit. Who is Linus Torvalds? Let's take a look at the introduction on wiki:

Linus Torvalds is the author of the linux kernel, and the open-source project git is also his. How could such an ancient giant come to web3 to participate in a small project? It's truly puzzling; the truth is always one. Let's find it out.

Let's first click on 'commit' to see what the giant has submitted:

After clicking, we find that the status of this commit is 'Unverified', indicating that this submission has not been verified.

By clicking on this status, we can also see a prompt indicating that Linus Torvalds did not use his public key to sign it.

So how is this type of commit forged? It's actually quite simple; the only fields needed to record the submitter's information on github are GIT_AUTHOR_NAME, GIT_AUTHOR_EMAIL, etc. Can we forge this information?

Let's do an experiment, setting several related environment variables, all of which are public information from Linus Torvalds:

export GIT_AUTHOR_NAME="Linus Torvalds"

export GIT_AUTHOR_EMAIL="torvalds@linux-foundation.org"

export GIT_COMMITTER_NAME="Linus Torvalds"

export GIT_COMMITTER_EMAIL="torvalds@linux-foundation.org"

Then we randomly modify some content in the source file and then commit to see what the log is:

The top entry is my test information, and it can be seen that the author information in the log has changed to Linus Torvalds. At this point, if I were to submit, it would show on github that Linus Torvalds participated in this project. The second piece of information is the forged information we currently see on github.

So how can we determine if this type of submission is forged? There are several methods:

1. We click on commit to see what the current status of the submission is. If it is a real submission, there will be nothing in the status. If it is forged, the above 'Unverified' will appear.

2. We can also go to Linus Torvalds' github homepage to see what projects his activity submissions include. His github is https://github.com/torvalds, and in 'Contribution activity', we can see that he has not participated in the zailgo project.

3. The project administrator can see detailed commit logs, and at this point, the forger's information can also be discovered, but we do not have administrative privileges.

The zailgo project is a good project, and forging information for promotion is unacceptable. Everyone should also be careful not to be deceived by such false information.