Skip to content

Instantly share code, notes, and snippets.

Last active April 6, 2023 14:47
Star You must be signed in to star a gist
What would you like to do?
Trolling Github's DMCA repo with their own security flaws.

Add new Youtube-dl copy to DMCA repo

  1. Fork
  2. Download latest youtube-dl source code from
  3. Extract
    tar -xvf youtube-dl-2020.09.20.tar.gz
  4. Push code to your fork as the GitHub CEO
    cd youtube-dl-2020.09.20
    git init
    git add .
    git config ""
    git config "Nat Friedman"
    git commit -m "Your message to the RIAA and GitHub Here"
    git remote add origin
    git push -f origin master
  5. Get new URL to share!
    echo "$(git rev-parse HEAD)"

Clone hidden repo from DMCA repo:

git clone -n youtube-dl
cd youtube-dl
git fetch origin 416da574ec0df3388f652e44f7fe71b1e3a4701f
git checkout FETCH_HEAD
Copy link

Has this been fixed? It's not working for me.

git push -f origin master
Warning: Permanently added the RSA host key for IP address '' to the list of known hosts. Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Copy link

Mhowser commented Oct 29, 2020

Copy link

lrvick commented Oct 29, 2020

@aveao Github does not need to change git itself here. All they need to do is deny pushes if the on your commit does not match the email on the account associated with the ssh key you are using to push. People that want to push code on behalf of other people can use "git commit --author" as designed. Naturally any unsigned commits should still show a red loud warning like browsers show for unsigned (non https) websites.

Also GitHub was asked by the RIAA to take down a specific set of repos which they did. Now the RIAA has to come up with a new (huge and ambiguous) set, but they likely won't because their current set is being challenged in court and they likely don't want to incur further damages because their claim itself is very clearly illegal, not the code. Taking down a project using the clause they did requires the project explicitly market itself for copyright infringement, and they claimed a few test cases is marketing, which they -clearly- knew was bullshit.

The power of DMCA to take down a repo is a double edged sword. You must comply right away on good faith, but if it turns out the claim was fraudulent or misrepresenting facts as the RIAA takedown here was, they can be counter sued for damages. They are going to lose this one.

Github does not have to do anything here but fix their own security bugs. The RIAA is however being sent a strong message that, legal or not, the internet will not stand for censorship of open source code and any attempts to do so will only motivate far more copies than they took down.

In the mean time Youtube-DL development has moved to Gitlab:

Copy link

This is hilarious!

Copy link

Uploaded a copy of YouTube-DL and added a little something special to the readme...

Copy link

It's interesting that they've been deleting PRs that pull in ytdl or warez, but not actually deleting the commits. I wonder if their strategy is to just delete PRs that make it easy to find and hope people forget that the commits are still there.

Here is one of the things that was added, where the PR was deleted but the content is still up:

Copy link


Go back to the gist and read step 1.

Copy link

davwheat commented Nov 4, 2020

Copy link

This is absolutely comedy gold. 😂

Copy link

Copy link

Zorono commented Nov 6, 2020

Copy link


Maybe I should contact zdnet and tell them myself about my experience hacking them... that would be hilarious if GitHub then replies denying hard evidence from a few of us.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment