225
Anyone can Access Deleted and Private Repository Data on GitHub (trufflesecurity.com)
submitted 1 month ago by communism@lemmy.ml to c/opensource@lemmy.ml
41 comments fedilink hide all child comments
top 41 comments
sorted by: hot top controversial new old
[-] MajorHavoc@programming.dev 79 points 1 month ago* (last edited 1 month ago)

Misleading title.

~~If my thing was public in the past, and I took it private, the old public code is still public.~~

That's... How the Internet works anyway.

Edit: See Eager Eagle's better explanation below.

TL;DR - be careful who you allow to fork your private repos. And if you need to take a public repo, which has forks, private, consider archiving the repo and doing all the new work in a new repo. Which is arguably the reasonable thing to do anyway.

Still a misleading title. This isn't a way to break into all or even most of your private repositories.

[-] morph3ous@lemmy.world 29 points 1 month ago

That is not exactly what they are saying. You could create a private fork of a public repo and the code in your private fork is publicly accessible.

[-] eager_eagle@lemmy.world 29 points 1 month ago

I don't think you can create private forks from public repos (the fork is public upon creation). This is more like the opposite:

If there's a private repo that is forked and the fork is made public, further changes to that original private repo become public too, despite the repo remaining private and the fork not being synced.

[-] hedgehog@ttrpg.network 12 points 1 month ago

Misleading title.

The title literally spells out the concern, which is that code that is in a private or deleted repository is, in some circumstances, visible publicly.

What title would you propose?

If my thing was public in the past, and I took it private, the old public code is still public.

The “Accessing Private Repo Data” section covers a situation where code that has always been private becomes publicly visible.

[-] where_am_i@sh.itjust.works 1 points 1 month ago

the title is dyslexic at best

[-] visor841@lemmy.world 51 points 1 month ago* (last edited 1 month ago)

While this is still a massive problem, it does require a public fork at some point. So if you have a private repo that has never had a public fork, you should be safe.

[-] Aatube@kbin.melroy.org 11 points 1 month ago

(unforked repos that are forks are also affected.)

[-] hedgehog@ttrpg.network 7 points 1 month ago

Yes, but only in very limited circumstances. If you:

  1. fork a private repo with commit A into another private repo
  2. add commit B in your fork
  3. someone makes the original repo public
  4. You add commit C to the still private fork

then commits A and B are publicly visible, but commit C is not.

Per the linked Github docs:

If a public repository is made private, its public forks are split off into a new network.

Modifying the above situation to start with a public repo:

  1. fork a public repository that has commit A
  2. make commit B in your fork
  3. You delete your fork

Commit B remains visible.

A version of this where step 3 is to take the fork private isn’t feasible because you can’t take a fork private - you have to duplicate the repo. And duplicated repos aren’t part of the same repository network in the way that forks are, so the same situation wouldn’t apply.

[-] Aatube@kbin.melroy.org 4 points 1 month ago

The second situation you listed is incredibly common, as the blog post explains.

[-] Asudox@lemmy.world 15 points 1 month ago

Im thinking of self hosting Forgejo one day.

[-] Deckweiss@lemmy.world 13 points 1 month ago

I do and it is pretty easy with docker compose.

[-] explore_broaden@midwest.social 5 points 1 month ago

Does it treat forks differently?

[-] Aatube@kbin.melroy.org -1 points 1 month ago* (last edited 1 month ago)

sourcehut is much better if you can pay

Edit: Only repo hosters need to pay. Everything else is free.

[-] Asudox@lemmy.world 15 points 1 month ago* (last edited 1 month ago)

I want forgejo for its upcoming federation feature tbh.

[-] Slotos@feddit.nl -1 points 1 month ago

Considering that git doesn’t need federation, and email is the grandfather of federation, sourcehut has a working version of it this very moment.

[-] Aatube@kbin.melroy.org 3 points 1 month ago

Why the downvotes?

[-] nekusoul@lemmy.nekusoul.de 6 points 1 month ago

I'd guess because the same argument could be made for the website you're on right now. Why use that when we could just use mailing lists instead?

More specifically: Sure, Git is decentral at its core, but all the tooling that has been built around it, like issue tracking, is not. Suggesting to go back to email, even if some projects still use it, isn't the way to go forward.

[-] Aatube@kbin.melroy.org 3 points 1 month ago
  1. Git has bundled tooling to support pushing MRs to mailing lists.
  2. Email is existing infrastructure. I’m the kind of guy who hates the powerbanks solar route and prefer selling excess solar power to the grid instead. This also has the benefit on allowing you to customize your notifications from subscribed repositories however you like.
  3. The reason we’re not on a mailing list is because we have an extra feature mailing lists can’t offer: reacting, be that upvoting, downvoting, or bookmarking/boosting. Meanwhile, you don’t need that on a development forum. You do have editing, though. Hopefully everyone’s using a client that supports undo.
  4. IMO, the slower speed of email makes people think more before they send.
[-] nekusoul@lemmy.nekusoul.de 3 points 1 month ago* (last edited 1 month ago)

I'm sorry to be blunt, but mailing lists just suck for group conversations and are a crutch that only gained popularity due to the lack of better alternatives at the time. While the current solutions also come with their own unique set of drawbacks, it's undeniable that the majority clearly prefers them and wouldn't want to go back. There's a reason why almost everyone switched over.

[-] Aatube@kbin.melroy.org 2 points 1 month ago* (last edited 1 month ago)

Mailing lists offer everything needed for a discussion: sending words, threading discussion (that’s already better than every competitor!), and receiving words. All of this is done fast with modern email’s push syncing. Sure, it’s not instant messaging, but development discussions shouldn’t be chatty. Sure, it’s not good for voting, but one can and should just link to one of these online polling services that guarantee integrity instead.

[-] nekusoul@lemmy.nekusoul.de 3 points 1 month ago* (last edited 1 month ago)

Technically you can do everything through email, because everything online can be represented as text. Doesn't mean you should.

PRs also aren't just a simple back and forth anymore: Tagging, Assignees, inline reviews, CI with checks, progress tracking, and yes, reactions. Sure, you can kinda hack all of that into a mailing list but at that point it's becoming really clunky and abuses email even more for something it was never meant to handle. Having a purpose-built interface for that is just so much nicer.

[-] Aatube@kbin.melroy.org 1 points 1 month ago

Why would you need to control these through a mailing list? The maintainers should have accounts (I don't see the point in federating maintainers instead of just discussion, especially when this is self-hostable), and only those with permissions should be setting up labels, assignees, inline reviews, and CI. And yes, sourcehut has a UI for this, though alternatives through email commands are also available.

And no, I do not see the point of reactions. If you really need a vote, use a voting service.

[-] Aatube@kbin.melroy.org 1 points 1 month ago

If you meant receive CI results... just send these via email? Every major platform (Gerrit, GitLab, GitHub, Gitea...) already does that for notifications IIRC.

[-] Slotos@feddit.nl 4 points 1 month ago

In the beginning the Universe was created. This has made a lot of people very angry and been widely regarded as a bad move.

[-] hedgehog@ttrpg.network 6 points 1 month ago

What makes sourcehut better?

From a self-hosting perspective, it looks like much more of a pain to get it set up and to keep it updated. There aren’t even official Docker images or builds. (There’s this and the forks of it, but it’s unofficial and explicitly says it’s not recommended for prod use.)

[-] Aatube@kbin.melroy.org 3 points 1 month ago

It also supports browsing without JavaScript, if that's your thing.

[-] Aatube@kbin.melroy.org 2 points 1 month ago* (last edited 1 month ago)

Sourcehut has straightforward much better UI, UX, and features (more than gitea/forgejo but less than GitLab ig). I really dig the subdomain design.

Issues and PRs are conducted through email, essentially making that part federated and signup-less.

I’ve seen many pieces of software that claim to be beta/not used for prod but are actually bedrock solid.

[-] lung@lemmy.world 12 points 1 month ago

Damn that's a huge problem

[-] eager_eagle@lemmy.world 11 points 1 month ago

The takeaway is to not use forks if there are changes you want to keep private.

[-] jjlinux@lemmy.ml 8 points 1 month ago* (last edited 1 month ago)

Just this week I migrated all my repos from github to Gitlab. And only because I can't host my own gits just yet, but will do it soon enough.

[-] muntedcrocodile@lemm.ee 6 points 1 month ago

I tried but they demanded a phone number and credit card for "verification" and fuck that.

[-] ReversalHatchery@beehaw.org 2 points 1 month ago

Also endless verification of you have resistfingerprinting on.

[-] muntedcrocodile@lemm.ee 3 points 1 month ago

Thats probably what did it. Guess when given the options of let us track you or provide your real identity for us to track you. The option of fucking off is best.

[-] sorter_plainview@lemmy.today 5 points 1 month ago

Im using a raspberry pi with a binary installation of Forgejo. Pretty easy to set up if you are comfortable with the terminal.

[-] jjlinux@lemmy.ml 1 points 1 month ago

I've been migrating all my services hosted in UnRaid to ProxMox these last days, but Forgejo is absolutely on my list of new services to selfhosted. Thanks for the tip bud.

[-] gravitas_deficiency@sh.itjust.works 4 points 1 month ago

Codeberg is great too

[-] jjlinux@lemmy.ml 2 points 1 month ago

Yeah, I'm just getting started, and for the life of me, haven't found how to pull the Gitlab repos from it. But I will.

[-] nao@sh.itjust.works 8 points 1 month ago

After reviewing the documentation, it’s clear as day that GitHub designed repositories to work like this.

Sounds like they wanted to find a problem but it turned out to be a feature.

[-] Shadow@lemmy.ca 9 points 1 month ago

Yeah, pretty much everyone agrees that once something goes to git it lasts forever.

The fact they call out that secret keys must be rotated if committed, makes me think they thought just deleting a commit was enough 🤦

[-] eager_eagle@lemmy.world 1 points 1 month ago

a problem that is documented is obviously a feature

this post was submitted on 24 Jul 2024
225 points (95.5% liked)

Open Source

29776 readers
82 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
Cloak@lemmy.ml
kevincox@lemmy.ml
CrypticCoffee@lemmy.ml
Lettuceeatlettuce@lemmy.ml