Github lets me commit as another user

Solution 1:

Wow this is an excellent question I don't understand why this hasn't gotten more attention (Maybe because it's not exactly security related than SU).

There is a hacker news discussion about it - https://news.ycombinator.com/item?id=7792026

This is not a major issue but you could do some serious abuse with it -

1. You can publish commits from famous people making it look like they endorse your project and actively contribute to it.
2. You can fake the amount of contributors your project actually has by using multiple identities of other real GitHub users. (this will look way more legit than just using random e-mails)
3. You might be able to convince someone to merge a pull request into his project by making him think most commits are coming from another trusted user

Recently GitHub been criticized for also allowing project owners to edit comments of users replying in their project making it look like they wrote stuff they didn't write which can lead to serious abuse. This is a very similar thing.

As other answers has mentioned this is how Git was designed. in an internal repo you don't care much about this stuff and you mostly care about managing code and not reputation. GitHub on the other way is a social tool and should care about its user public reputation (as mentioned in the hacker news discussion this solvable by PK encryption. many users already have PK assigned to their GitHub account for push permissions I would imagine same key can be used to sign commits )

Solution 2:

Git has no way to know who authored what. How could it know? All it's doing is reporting what you tell it to report. Garbage in, garbage out.

It is absolutely normal and routine for one person to commit another person's work.