Ramblings of a Tampa engineer

A few days ago I got a pull request to a project (since been deleted) and a user was attempting to add a file like this to the root of the project.

# https://tea.xyz/what-is-this-file
version: 1.0.0
  - "0xREDACTED"
quorum: 1

Of course my first reaction was to close the pull request immediately. It was some unknown file with some hexadecimal code owner that I couldn't verify.

Sadly the link for "what-is-this-file" actually told me nothing about the file. Not what the parameters meant or anything in that regard - so I was immediately mad.

I searched the user and this individual had 10+ other pull requests verbatim in other repositories. It was a brand new GitHub account and this just felt like a scam to me.

Sure enough between spotting it, reporting it and writing this blog post that user does not exist nor do any of the pull requests.

If I dig into Tea and their OSS aspect - they make the following call out:

Registering your OSS project on the tea protocol offers several benefits. It allows you to gain visibility within the tea community, attract potential contributors and users, and track the utilization and impact of your project. This data can be used to earn rewards based on the value of your project. Additionally, registering your project on the tea protocol incentivizes security researchers to disclose vulnerabilities ethically and responsibly.

I read what I needed to. This is another token based crypto thing which in my experience is frequently abused for the monetary gain instead of whatever the service is offering. I continued reading to figure out why a pull request was given.

Next, you will need to merge a pull request (PR) to demonstrate ownership of this project. You will need to download your project's constitution file, and manually commit and merge the file to your project's repository.

I kept re-reading this line and it made no sense. All I need to do to claim ownership of a project is merge a pull-request? Do I own Laravel because I've gotten a pull request merged?

So I was wondering how Tea handled verifying projects that a user did not own. They had a FAQ especially for this question.

Can I register projects that I do not own?
Yes, you can. You can register projects that you do not own as long as you're at least a contributor to the project and have consent from the project maintainer(s). Registration will only be complete once the PR is merged with the project's repository.

I started piecing together what was happening here. If you get a pull request merged it seems that is proof enough for Tea to consider trusting the tea constitution file. So sure enough this user was attempting to get a pull request merged to many repositories with themselves listed as the sole owner.

That would put them in a position to control these tokens (money?) tied to the open source project.

So I wondered how far this had spread and did a GitHub search.

GitHub search for "tea.xyz"

It seemed this was a fresh type of abuse - we had 100+ pull requests in two days all with users trying to add tea configuration files to repositories. Thankfully it seems most of these users are just trying to scam funds and have no actual idea how GitHub works.

What I mean is these users are just forking projects, merging a fix into their own branch and hoping they've validated that project. Sure enough they've validated their own personal fork - and that is it. It appears only a handful know enough about the process to open the pull request upstream to the main repository.

So I stumbled upon TryGhost/Ghost - which is the repository that houses the Ghost software, which is what I use for this blog. I saw many pull requests for this same type of tea file addition:

sample of one of the pull requests
and more and more....

It seemed Ghost blog was used (probably without permission) as the demo project in an explanation video, which may explain why all these users are attempting to claim ownership of them.

How to register a project with tea (YouTube)

So in short - this is why I often hate crypto. This idea and execution has done nothing but steal time from open source contributors and clog up review time and research for a bunch of garbage pull requests.

So much like Keybase got spammed with an influx of garbage users when they announced their Stellar token - GitHub is getting an influx of garbage users taking time and energy from me and others for this tea stuff.

Take this brand new user who is frantically attempting to add tea configuration files to every repository they encounter. I just wish these people that spent as much time applying themselves to abuse a system instead used it for something different.

Much like the Keybase & Stellar wallet incident some ideas just suck. I don't even want to spend a single minute entertaining any positive aspect of "tea.xyz" - this product and execution has done nothing but upset me. My first impression was negative and its tough to break that.

However saying all of that - every idea has good intention, but you can't often predict the abuse your users will bring. I saw a comment from Max Howell (contributor of tea) when he was pinged on one of these annoying pull requests.

He said:

Hey everyone. We’re really sorry about this.

Firstly, we are taking down the videos. Using real projects in the example videos was a huge mistake and we own it.

Secondly we are going to add verification steps to ensure we do not generate YAML for projects without proof that the user is a legitimate contributor.

For now we will remove ghost from the listing.

Our project genuinely wants to help open source and not hinder it and our efforts are entirely focused on that which ofc includes ensuring that this kind of malicious and despicable behavior ends as soon as possible.

Thank you for your understanding and sincerely: I'm very angry about this, if it was happening to my projects I would also be incredibly unhappy about it.

Ultimately you can make your own judgement about this. I'm not so sure I'm ready for a 2nd chance, but I appreciate the honesty above.

You’ve successfully subscribed to Connor Tumbleson
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Success! Your email is updated.
Your link has expired
Success! Check your email for magic link to sign-in.