> I'm seeking HN advice about the technical git aspects, because the fake user has somehow inserted themself as the "author" of many commits, then listed me as the "committer".

Yes, that's how git works. As simple as git commit --author="John Doe <john@doe.org>"

Enable Vigilant mode on Github and any unsigned commits will be shown as "Unverified" https://docs.github.com/en/authentication/managing-commit-si...

I think one of the easiest way is to buy a domain name, create a project pages and links to your real github profile and projects you've participated on. It's harder to spoof domain name.

Anyone else just need to do some due diligence. You don't trust random pages on Facebook, so why should you trust Github profiles either? And I'm not saying to trust your project page, but it's way easier to verify that way. And that's why I like when open source projects have their own website.

> meaning how to verify genuine authors and genuine repos, and block fake authors and fake repos?

Signed commits maybe…

In my opinion, you’re thinking about this wrong. GitHub is the same as any other online platform…

It doesn’t matter “who you say you are”, it’s the reputation that people trust (follows, stars etc…)… and reputation cannot be faked (very easily)

The linked repo has been removed!

How did you find the fraudster?

Probably the easiest solution to this problem would be—don't use GitHub.