cm0002@digipres.cafe to Opensource@programming.dev · 2 days agoAndroid syncthing repo gone and Developer profile gone private.github.comexternal-linkmessage-square12fedilinkarrow-up191arrow-down11
arrow-up190arrow-down1external-linkAndroid syncthing repo gone and Developer profile gone private.github.comcm0002@digipres.cafe to Opensource@programming.dev · 2 days agomessage-square12fedilink
minus-squaresomewa@suppo.filinkfedilinkarrow-up4·1 day agoIf he pushed something he shouldn’t have online then taking it offline immediately makes a lot of sense.
minus-squareorygin@piefed.sociallinkfedilinkEnglisharrow-up6·edit-21 day agoIt makes sense, but once it’s pushed there is no way to know if it’s been cloned or kept somewhere else. The only real mitigation is to rotate the keys or password that was leaked. If it’s something else you can’t rotate, you’re screwed.
minus-squareonlinepersona@programming.devlinkfedilinkarrow-up5·1 day agohttps://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github
minus-squaresomewa@suppo.filinkfedilinkarrow-up2·edit-222 hours agoThe point wasn’t that it’s not accessible but limiting the damage while you still can.
If he pushed something he shouldn’t have online then taking it offline immediately makes a lot of sense.
It makes sense, but once it’s pushed there is no way to know if it’s been cloned or kept somewhere else. The only real mitigation is to rotate the keys or password that was leaked.
If it’s something else you can’t rotate, you’re screwed.
https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github
The point wasn’t that it’s not accessible but limiting the damage while you still can.