Submitted 5 months ago by AnActOfCreation@programming.dev to technology@lemmy.world
https://cybernews.com/news/deleted-github-data-accessible-to-anyone/
“The implication here is that any code committed to a public repository may be accessible forever as long as there is at least one fork of that repository,” the report’s authors claim.
Am I dumb or is this exactly the purpose of forks? I feel like I’m missing something.
What did they research? The git and GitHub documentation, and then the manual on clickbaiting? The shit people publish as research these days to boost their profile…
The concern is that branches and commits that are not otherwise publicly visible become visible, thanks to the way Github handles forks.
I find the language of the article a little confusing, too. But I’m a noob when it comes to GitHub. I have a couple of private projects that I’ve never shared, so not sure if this applies to me or not. We also plan on transitioning to GitHub at work. It’s always smart to assume nothing ever gets truly deleted from an internet service.
If you only ever keep your repository private, then you are fine. Full stop.
If you ever fork the repo and make a “INTERNAL” private fork but move the main project public then anything you commit to the private fork will be discoverable through the public project.
Basically you should assume if you make a repo public then the repo and all of its forks will be public-- even if the forks are “private” the commit data can be found through the main repo.
The original report: trufflesecurity.com/…/anyone-can-access-deleted-a…
Here’s a link to an earlier discussion on this topic: lemmy.ml/post/18368342
if it was never public/forked i guess it’s alright…?
Dave@lemmy.nz 5 months ago
The article is really not clear. Is it saying if a project is forked, then the original is made private, the fork can access data from the private fork?
Is this saying people misunderstand git and think committing a deletion makes people unable to access the previous version? Or is it saying the sharing between public and private repos can expose keys in private repos?
If you accidentally commit an API key into a public repository… you need to roll that key. Even if it was deleted completely, someone still could have accessed it while it was there.
eager_eagle@lemmy.world 5 months ago
from their actual report
Dave@lemmy.nz 5 months ago
I’m still not sure that answers it. If I fork a project, and the upstream project commits an API key (after I’ve forked it), then they delete the commit, does this commit stay available to me (unexpected behaviour)? Or is it only if I sync that commit into my repo while it’s in the upstream repo (expected behaviour)?
Or is it talking about this from a comment here:
Someone replies and said by having garbage collection kick in it removes this unconnected commit, but it’s not clear to me whether this works for github or just the local git repo.
Perhaps the issue is that these commits are synced into upstream/downstream repos when synced when they should not be?
Like I said, I’m really confused about the specifics of this.