Linus: “I Deleted Linux Because It Sucks!”

By: Luo Qiqi

Produced by: OSC Open Source Community (ID: oschina2013)

On January 25, Linus Torvalds submitted a prank README page to the Linux GitHub repository: https://github.com/torvalds/linux/tree/8bcab0346d4fcf21b97046eb44db8cf37ddd6da0, titled “delete linux because it sucks” — I deleted Linux because it sucks.Linus: "I Deleted Linux Because It Sucks!"

Hello everyone, I am Linus Torvalds, the famous author of Linux. You can check the repo URL and the name at the top of the file, which can prove that it was me who submitted it. I deleted Linux because I hate it, and I think it sucks. You should use this great operating system called Windows XP, which I just found out is really great.

Why is this considered a prank? Because the source code of Linux has not been deleted, and observant netizens discovered that there is a link at the bottom of the README:Linus: "I Deleted Linux Because It Sucks!"This link points to a post on Hacker News, which details the existing “fake commit” vulnerability on GitHub: arbitrary commits can be published under the URL https://github.com/my/project. For example, using the URL https://github.com/my/project/blob/<faked_commit>/README.md, a fake README page can be published, which will not appear in the project’s commit history and does not belong to any branch, and can only be seen by accessing a specific URL. Linus’s prank README file exploited this fake commit vulnerability; take a look at the URL of this README:Linus: "I Deleted Linux Because It Sucks!"If it were a normal commit, the URL should contain the word commit, for example:Linus: "I Deleted Linux Because It Sucks!"Linus: "I Deleted Linux Because It Sucks!"In addition to the incorrect URL, this README file also did not appear in the commit history:Linus: "I Deleted Linux Because It Sucks!"It can be seen that Linus was just joking and did not actually delete the repository.Those interested in this vulnerability can check out the original post on Hacker News, which combines this fake commit vulnerability with another “impersonating a user through git email address” vulnerability: https://bounty.github.com/ineligible.html#impersonating_a_user_through_git_email_address, which can create phishing pages that look real. For example, https://github.com/slimsag/linux/tree/5895e21f3c744ed9829e3afe9691e3eb1b1932ae#linux-kernel this repository seems to indicate that Linus himself participated in its development:Linus: "I Deleted Linux Because It Sucks!"However, this was just achieved by replacing the email address, changing slimsag to torvalds.Linus: "I Deleted Linux Because It Sucks!"Linus: "I Deleted Linux Because It Sucks!"On the left is the torvalds replaced through the vulnerability, and on the right is the normal one. A careful comparison reveals that the torvalds created through the sleight of hand does not display activity records.These GitHub vulnerabilities were disclosed in 2020, yet the vulnerability authors claim that “GitHub does not consider these issues as vulnerabilities at all”. It is unclear whether GitHub is unable to address them or believes they are unnecessary to fix; in any case, they can still be exploited to this day.

Previous Highlights

cURL Author Complains: A Fortune 500 Company “Free Riding” on Technical Support

What is the Gap in Open Source Between China and the US?

Microsoft Releases VS Code Java Roadmap for 2022

Linus: "I Deleted Linux Because It Sucks!"If you find this interesting, please give it a thumbs up.

Leave a Comment