top | item 33196300

(no title)

The access model on platforms like GitHub is flawed, a single account can be used for both professional and personal projects/repositories, leading to “fat finger” errors like this one here...

discuss

gw99|3 years ago

Oh yes this. It's so easy to critically fuck up an invite into an organisation. If you get typo the username you are potentially compromised. I've seen a couple of near misses on this already.

Note: the invite input box actually autocompletes ALL github usernames.

ccakes|3 years ago

You can invite by email addr, so the workaround here is only invite corporate email addresses.

If the target user hasn't added their corp email to their profile then they can't be part of the org.

matai_kolila|3 years ago

> Note: the invite input box actually autocompletes ALL github usernames.

I'm sorry, but that's wild. That's like, not even an easy engineering problem to solve necessarily, given their size!

hrez|3 years ago

Org can be configured with SSO which would require Org members to login with your Co auth in order to access the Org.

Though it would still allow "collaborators" which don't have SSO requirement.

fjni|3 years ago

Absolutely this!

The fact that no one bats an eye that GitHub is used to store proprietary source code is so surprising to me. Conversely if that is what it is meant for, why does it default to autocompleting to all users globally instead of my org (even on the enterprise version.) why hasn’t this been fixed for years.

anamexis|3 years ago

I don't see how this is related to GitHub's access model. Was the canonical Toyota repo even on GitHub?

alfalfasprout|3 years ago

Not really? You shouldn't be checking in secrets, period.

8organicbits|3 years ago

You shouldn't, but clearly people make this mistake all the time. I caught one last week. Security in depth is valuable.

unknown|3 years ago

[deleted]

jmainguy|3 years ago

Checkout github enterprise managed users, all the shiny of github.com with the benefits from the self hosted github

itake|3 years ago

Do you have a source that this is a "fat finger" error?

I've had contractors publish my code to public Github repos to showcase their work for their next job. Even after emailing them multiple times, I kept finding my code in github with companies emailing me asking for a referral to this person...

tester756|3 years ago

I don't think it is flawed.

You cannot access org's repos without VPN

if you create a new repo by mistake outside your org, then uhh..., it's crazy?

it's like sending email with credentials to people outside your org

alfalfasprout|3 years ago

On github.com you don't need VPN to access your org's repos. You're referring to github enterprise (the self hosted version).