This ability to (1) forge commits from other people and (2) reference commit hashes from different forks, making them appear to belong to a GitHub repository that they were never actually pushed to, has been posted about on HN before, though I'm having trouble finding the most relevant link.
Edit: For instance, someone pulled a similar trick a year back by making a commit in a fork of the GitHub DMCA repository containing youtube-dl: https://news.ycombinator.com/item?id=24882921
> This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
https://github.com/torvalds/linux/commit/ac632c504d0b881d7cf...
https://github.com/torvalds/linux/commits?author=torvalds
This ability to (1) forge commits from other people and (2) reference commit hashes from different forks, making them appear to belong to a GitHub repository that they were never actually pushed to, has been posted about on HN before, though I'm having trouble finding the most relevant link.
Why does GitHub let me commit as other people? (2014) https://news.ycombinator.com/item?id=7792026
Edit: For instance, someone pulled a similar trick a year back by making a commit in a fork of the GitHub DMCA repository containing youtube-dl: https://news.ycombinator.com/item?id=24882921