pull down to refresh

At least they updated the key within a few days? Still, that's pretty embarrassing to post their private key in a public repo
reply
GitHub is a humungous liability for the whole internet. Every project needs to now consider alternatives.
reply
Gitea is nice, open source and self-hostable (especially if you already have a VPS for your project). It's also possible to mirror or backup Github/Gitlab repos. AFAIK Gitea is working on a federation feature, so you could browse all federated repos (improves discoverability) and commit with a single sign-on.
Codeberg.org is a public registration Gitea instance (also offers a similar service to Github Pages for static websites). HackLiberty.org also operates a Gitea instance.
Otherwise there is a bounty for an implementation of Git on Nostr: https://bountsr.org/nostr-based-github/ Some projects here: https://makers.bolt.fun/project/git-nostr and https://makers.bolt.fun/project/nostrya
reply
I want to switch from gitolite to soft-serve in the near future. Do you have any experience with it?
reply
122 sats \ 1 reply \ @ek 24 Mar 2023
This week, we discovered that GitHub.com’s RSA SSH private key was briefly exposed in a public GitHub repository.
They only said when they discovered the leak. Not when the leak started.
reply
That is a great clarification!
reply
  • At approximately 05:00 UTC on March 24, out of an “abundance of caution” we replaced our RSA SSH host key used to secure Git operations for GitHub.com
  • The exposure was the result of what we believe to be an inadvertent publishing of private information
  • We have no reason to believe that the private key was abused (yet!)
reply
Still using RSA in 2023 as well lol.
EdDSA ftw.
reply
Backwards compatibility.
They mentioned their ECDSA and ED25519 key are not affected so they also use them.
Also, this incident has nothing to do with RSA. Could have happened with ECDSA and ED25519, too, no?
reply
Yes the incident is human error, but it reflects poor OPSEC - considering how big GitHub is, how difficult would it be to store their private keys only on Yubikeys or similar airgrapped devices instead of having them stored in plaintext where they can be accidentally copy/pasted? This is literally OPSEC 101 and these guys are owned by one of the biggest tech companies in the world. What else are they dropping the ball on?
Fair play on the backwards compatibility - missed that they also have ECDSA and EdDSA keys as well.
reply
I totally agree with you. I just didn't get what RSA has to do with this lol
reply
RSA is old (literally from 1977!), slow (because huge keys are required to make it non-trivial to brute force), and overall less secure than modern elliptic curve cryptography.
As I said though, I missed that they also have EdDSA and ECDSA keys when I skimmed the article during my lunch break. Since the RSA key is only for backwards compatibility it isn't an issue. Thank you for pointing that out to me.
reply
Hey, I posted this before you xD
No worries though, just wanted point out how timing is sometimes relevant which post gets upvotes, lol
reply
Hmm… I thought SN checks for duplicates before posting the url 🤔
reply
It does but it doesn't prevent duplicates. Maybe you clicked on "post" too fast since it takes 1-2 seconds to load the duplicates?
reply
I think that might be it. Given was posting from mobile 🤦‍♂️ My bad
reply
/cc @k00b
might be useful to disable posting until duplicates are loaded (or a timeout is reached)
reply
@cointastical has been asking for this for a long time. I'm open to it if the UX can be made good.
reply
I'll see what I can do. Shouldn't require a lot of changes
reply
Cool I'll send you some sats for it
Again, no worries! Happens, haha
reply