The problem is that "it's not a bug, it's a feature". Look at the Linux kernel mirror for example. All those commits come from different users around the internet, but when their emails show up, GitHub can link their usernames to their profiles.
What to do about this though... that's a good question. Perhaps just not linking profiles when pushed in this way and/or labeling them "unverified" would be sufficient. GPG signing would be nice, but would likely annoy some users.
What to do about this though... that's a good question. Perhaps just not linking profiles when pushed in this way and/or labeling them "unverified" would be sufficient. GPG signing would be nice, but would likely annoy some users.