
GitHub Impervious to Super Missiles - craigkerstiens
http://discursive.com/2012/03/16/github-impervious-to-super-missiles/
======
awj
I honestly don't find this reasoning very convincing. Mostly because it seems
to be mistakenly equating Github with Git. _All_ of the issues presented on
both sides (i.e. "why are we depending on this third party" and "I don't want
to go back to <propriety whatever>") could be addressed with an in-house git
repository. Sure that creates new problems, but if the concern is about using
_Github_ turning things into an argument about _Git_ is just wasting time.

Also, statements like "Listen, Github is how software is done right now" are
just _screaming_ for unnecessary confrontation and useless sideline arguments.
I agree that Git is more effective (for most use cases) than any centralized
VCS I've seen, but turning that _opinion_ into a bald assertion is just going
to cause arguments you really shouldn't be having.

~~~
glennericksen
GitHub is great because you get to use git. I don't think that you can
entirely separate them from each other, or craft an argument for the
advantages of GitHub without somehow mentioning git. The vulnerability in
GitHub clearly matters. It was a potentially explosive issue, but GitHub
issued a prompt and appropriate mea culpa, while resolving the problem. Also,
it stirred the pot in the Rails community, with many coming up with safeguards
against the potential mass assignment vulnerability. Although I disagree with
his downplaying of the problem, I certainly don't have plans of going anywhere
else, which I think is the spirit of what the author was trying to convey.

~~~
awj
> GitHub is great because you get to use git.

That's exactly my point. The article seems to be confusing a concern about
_Github_ for a concern about _Git_ and then spends most of its time addressing
the latter. I can (and do!) use Git without using Github. If my organization
decides that Github is too much of a risk, that doesn't necessarily mean we'll
be dropping Git.

------
Estragon

      > This sort of stuff happens to every hosted service you
      > use, 95% of the time you don’t hear about it because it 
      > is a real hostile and the company just pays some ransom 
      > demand in exchange for not being screwed.
    

Or you don't hear about it because the hostile is quietly making hay from the
vulnerability in some other way. Like spying on private github repositories.
The fact that github was hacked "by a friendly" doesn't mean it was _only_
hacked by him.

~~~
chimeracoder
I believe GitHub was able to tell which public keys had been added using this
exploit (because with this vulnerability, the log files should still be
intact). So we/they can safely say that _this_ vulnerability was not exploited
maliciously.

Sure, there may be others we haven't heard of, but that's potentially true
about any service.

------
tuxcanfly
> “Those DVCS kids, they got just what they deserved, won’t it be great when
> we can get back to a real VCS like Perforce”.

This entire article is based on the false dichotomy that either we use get
along with github as it is or go back to svn.

Given the number of projects which directly pull code from github and execute
it on production machines, it is not unreasonable to expect basic security
from a hosting provider. I don't see why github should be given a second
chance.

~~~
bradleyland
It also conflates DVCS (specifically, git) with the attack at Github. The
security incident at Github had zero to do with DVCS in any way, shape, or
form. Were Github to have been SVNHub, built on Rails, and lacking mass
assignment controls, the same attack could have occurred.

------
njs12345
Not to mention that GitHub also has an excellent self-hosted product:
<https://enterprise.github.com/>

------
boonez123
Github wasn't hacked. Github had a programming error. The RAILS docs clearly
state to be careful of mass assignment. It's a known issue.

Your product is only as good as the people who build it. Github devs are
amazing I'm sure, however it just takes one moment of, "Sheesh, why am I
wasting these lines of code when I can consolidate it into one line."

------
timobrien
OMFJesus, you people take my blog way too seriously. Of course I understand
the issues you all raised, but this is a story (and not even a 100% accurate
story because the jackass I work with would find out).

------
aiscott
It's weird how this article treats Git and Github as synonymous.

Github's rails bug really had nothing to do with Git itself.

~~~
aaronblohowiak
There was not a rails bug! It is that way _by design_. Now, it is a terrible
default but it was not a bug.

~~~
mcdillon
Designed bugs are still bugs.

~~~
aaronblohowiak
No, one is naïveté and the other is ignorance. Big difference.

------
drivebyacct2
Why are we still talking about this? Besides the reasons listed are flat out
wrong in multiple places. Not sure if it's the result of seeing the PR a week,
two weeks later... 1 is completely moot. If a friendly can hack it, so can
Somalian pirates. 2 is just inaccurate. 3 is applauding something that should
never be necessary. 4 is missing the point entirely, as is 5. 6 is just
stupid, it's not a response to "host your own Git repo".

"GitHub is a DVCS". Is the author aware that GitHub is... just Git... and that
people can host their own Git repos manually? (Or their own mini-GitHub clone
gitlab?)

