A bit far-fetched perhaps, but could it be that this attack on Github's front-end was a mere feint for a separate attack on their back-end?
If there's a repo hosted there that someone in China wanted to modify, perhaps they would use DOS as cover for a surreptitious maneuver which might otherwise get noticed.
This is likely just showing my ignorance of Git, but could an attacker having sufficient compute resources to arrange a Git hash collision and having back-end access to Github, modify sources without it being noticed by the repo owner?
This is actually a very good and interesting question. It would be good if Github started to at least show signed commits and on a per repo level block non-signed commits.
And Git should migrate to something better than SHA1.
If there's a repo hosted there that someone in China wanted to modify, perhaps they would use DOS as cover for a surreptitious maneuver which might otherwise get noticed.
This is likely just showing my ignorance of Git, but could an attacker having sufficient compute resources to arrange a Git hash collision and having back-end access to Github, modify sources without it being noticed by the repo owner?