The only time I would think this is a valid security issue if those were tokens that were previously not public. But that should not be the case right?
Sure, if someone checked in a secret to a repo that at some point was public, and got crawled by co-pilot - they should cycle that secret, so it's no longer valid - rather than only mark the repo private and/or nuke the secret from the repo history.
But there's another side to this - if you write code using co-pilot against a popular Api - and co-pilot gives you a valid key - and you access data or a system you aren't supposed to - would you be liable under the various draconian antighacker laws?
If you pick up a key card from the street, and enter someone's home - you'd be trespassing after all..
That is a good question and I think you should be. After all you are still the Person that writes and produces the code just with the help of a tool. Similar to a lockpick. (I hope that makes sense)
Lets hope so... I expect that these were accidentally committed to a public repo
However, while the keys are then already leaked, you'd have to go search for them. Copilot suggests you use them in you editor. That is not quite the same imo.
It goes from deliberately searching and using leaked keys to having them handed to you without context. I feel it is a bit like finding an unlocked bike, if you take it, it is still stealing. But here there is a guy at the bike parking lets say that is handing out bikes to anyone passing by. Not the best analogy, but i think it covers my point ;)
e12e|4 years ago
But there's another side to this - if you write code using co-pilot against a popular Api - and co-pilot gives you a valid key - and you access data or a system you aren't supposed to - would you be liable under the various draconian antighacker laws?
If you pick up a key card from the street, and enter someone's home - you'd be trespassing after all..
phumberdroz|4 years ago
holstvoogd|4 years ago
However, while the keys are then already leaked, you'd have to go search for them. Copilot suggests you use them in you editor. That is not quite the same imo.
It goes from deliberately searching and using leaked keys to having them handed to you without context. I feel it is a bit like finding an unlocked bike, if you take it, it is still stealing. But here there is a guy at the bike parking lets say that is handing out bikes to anyone passing by. Not the best analogy, but i think it covers my point ;)
phumberdroz|4 years ago
But yes I get your point but I also believe people still need to apply some sense to what co pilot suggests.