Comment

Comment on Data from deleted GitHub repos may not really be deleted

Mubelotix@jlai.lu ⁨3⁩ ⁨months⁩ ago

This is not a GitHub issue. It’s a GIT feature. People are always going to clone your repo.

source

Sort:hotnew top

Morphit@feddit.uk ⁨3⁩ ⁨months⁩ ago
Well, sort of. GitHub certainly could refuse to render orphan commits. They pop up a banner saying so but I don’t see why they should show the commit at all. They could still keep the data until it’s garbage collected since a user might re-upload the commit in a new branch.

This seems like a non-issue though since someone who hasn’t already seen the disclosed information would need to somehow determine the hash of the deleted commit.

source
- Morphit@feddit.uk ⁨3⁩ ⁨months⁩ ago
  Ah - Actually reading the article reveals why this is actually an issue:
  
  What’s more, Ayrey explained, you don’t even need the full identifying hash to access the commit. “If you know the first four characters of the identifier, GitHub will almost auto-complete the rest of the identifier for you,” he said, noting that with just sixty-five thousand possible combinations for those characters, that’s a small enough number to test all the possibilities.
  
  So enumerating all the orphan commits wouldn’t be that hard.
  
  In any case if a secret has been publicly disclosed, you should always assume it’s still out there. For sure, rotate your keys.
  
  source
best_username_ever@sh.itjust.works ⁨3⁩ ⁨months⁩ ago
Forks do not exist in git. It’s a GitHub feature, and a massive blunder at the same time.

source
- Mubelotix@jlai.lu ⁨3⁩ ⁨months⁩ ago
  Yes they exist. It’s called a clone
  
  source
  - arcuru@lemmy.world ⁨3⁩ ⁨months⁩ ago
    The article is specifically about how GitHub forks are not the same as a git clone. A clone isn’t accessible from the upstream without the upstream pulling the changes, but this vulnerability points out that a fork on GitHub is accessible from the upstream without a pull, even if the fork is private.
    
    It’s because GitHub under the hood doesn’t actually do a real clone so that they can save on disk usage.
    
    source
    Mubelotix@jlai.lu ⁨3⁩ ⁨months⁩ ago
    You actually can’t turn a fork private on github
    
    source
  - best_username_ever@sh.itjust.works ⁨3⁩ ⁨months⁩ ago
    How can such a wrong answer get so many points? Clones and forge forks are unrelated. First, GitHub or GitLab cannot and could not link clones together without analyzing the remotes of each clone.
    
    FFS it’s a tech community…
    
    source
    Mubelotix@jlai.lu ⁨3⁩ ⁨months⁩ ago
    Because you are the one being wrong. Github and others only provide a nice interface around clones. That’s all there is, and it doesn’t matter much
    
    source