It's the internet. Nothing is deleted.
this post was submitted on 26 Jul 2024
214 points (95.0% liked)
Technology
57895 readers
4958 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
So many OpenAI keys!
This is not a GitHub issue. It's a GIT feature. People are always going to clone your repo.
Forks do not exist in git. It's a GitHub feature, and a massive blunder at the same time.
Yes they exist. It's called a clone
The article is specifically about how GitHub forks are not the same as a git clone. A clone isn’t accessible from the upstream without the upstream pulling the changes, but this vulnerability points out that a fork on GitHub is accessible from the upstream without a pull, even if the fork is private.
It’s because GitHub under the hood doesn’t actually do a real clone so that they can save on disk usage.
You actually can't turn a fork private on github
How can such a wrong answer get so many points? Clones and forge forks are unrelated. First, GitHub or GitLab cannot and could not link clones together without analyzing the remotes of each clone.
FFS it's a tech community...
Because you are the one being wrong. Github and others only provide a nice interface around clones. That's all there is, and it doesn't matter much
Well, sort of. GitHub certainly could refuse to render orphan commits. They pop up a banner saying so but I don't see why they should show the commit at all. They could still keep the data until it's garbage collected since a user might re-upload the commit in a new branch.
This seems like a non-issue though since someone who hasn't already seen the disclosed information would need to somehow determine the hash of the deleted commit.
Ah - Actually reading the article reveals why this is actually an issue:
What's more, Ayrey explained, you don't even need the full identifying hash to access the commit. "If you know the first four characters of the identifier, GitHub will almost auto-complete the rest of the identifier for you," he said, noting that with just sixty-five thousand possible combinations for those characters, that's a small enough number to test all the possibilities.
So enumerating all the orphan commits wouldn't be that hard.
In any case if a secret has been publicly disclosed, you should always assume it's still out there. For sure, rotate your keys.
Oh god. That means all the spaghetti code that I ever wrote is still out there.
My people!
Not only just out there. I am regenerating your spaghetti code into a new context with copilot 🧑✈️ Your (ai-regenerated) code will be driving our military nuclear launch code base! Congratulations!
Your (ai-regenerated) code will be driving our military nuclear launch code base!
What's so difficult about writing code that checks if you have 8 zeroes?
https://gizmodo.com/for-20-years-the-nuclear-launch-code-at-us-minuteman-si-1473483587
Oh I'm just the cleaning guy, so I don't really know how to code it myself. We laid off all the developers three weeks ago.
Yup. Along with the code from huge organizations. I always thought it was funny that people put their code online, blindly trusting some random company that got gobbled up by Microsoft.
Your point is valid, but many (most?) enterprises don't use a forking worlflow, so I suspect open source projects will be hit harder, sadly
Along with every private key that was accidentally committed.
Ha ha, way way back in the day when I didn’t understand how keys worked, I sent a private key to another developer when they asked for my public. They were kind enough to educate me.
As a lifelong troll, I would've just generated a new pub key and made a bunch of commits as you. Then two days later, I would tell you what's up once you had time to process the confusion.