Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> This week, we discovered that GitHub.com’s RSA SSH private key was briefly exposed in a public GitHub repository.

Seriously? How that happened is deeply concerning.

And why weren't the other keys exposed?



Indeed. One would assume such a private key to be deeply stashed away behind multiple security borders. Ending up in a GitHub repository seems to imply developers at GitHub somehow had access to it.


It might be a devops person who leaked it


This is absolutely unbelievable when you think about it? I just checked to make sure it wasn't April 1.


Someone at GH was using Copilot DevOps and prompted "How would you go about compromising the integrity of all open source software?", obviously.


Most people do not clone using SSH.


The Git HTTPS authentication UX is quite bad, so I don't understand how this can be true.


Most clones happen without auth on public repos.

Most development work, however, uses SSH


We use GitHub Enterprise at work and only HTTPS is permitted for authentication.

The "insteadOf" git config is added to workstations and runners to convert attempted SSH connections over to HTTPS.


Why is SSH not permitted?


I have no knowledge of the risk assessment which led to the decision - above my pay-grade; another department; etc.

Like most corporate environments, “it is what it is” and we do our best to perform our jobs within these constraints.


Because "Enterprise". Some C-Level read about Cyber in an inflight magazine and decided "The Firewall" needs to be "locked down" to only allow essential traffic. So https it is!


I would presume because unless you control the GitHub account and the SSH key generation process (making sure to generate on smartcard), any developer can upload any old public key, and then do something like... commit it to a public git repo.


If you're logged in and have a SSH key added to your account, I believe Github UI will show you SSH clone command by default. Therefore I always clone with SSH, even public repos.


Based on which data ? Is there any stats on this ?

I personally never clone using https and I think most of the people I work with do the same


You may be reading too much into this ... it was a joke :)

But you've made me curious, what's your workflow like? Do you use a gui git client? For me, the default option provided to me by github is an ssh clone, at least for repos that I can own/can push to. This makes it very convenient to work with, because as long as I'm logged into a shell, I'm authenticated to github. But then again, I almost exclusively use the cli and have an ssh key configured for my gh user...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: