305 private links
Tout le monde peut utiliser la config git user.name et user.email.
Afin de vérifier ces commits, ils faut indiquer à Git de les signer
Générer une clé
ssh-keygen -t ed25519 -C "votre@email.com"
Puis instruire à git de l'utiliser:
git config --global gpg.format ssh
git config --global user.signingkey ~/.ssh/id_ed25519.pub
git config --global commit.gpgsign true
git config --global tag.gpgsign truePuis ajouter cette clé de signature dans la forge logicielle.
Pour GitLab: https://docs.gitlab.com/user/project/repository/signed_commits/
Github place ce bug comme "ineligible", puisque cela ne donne pas accès aux repos ni privilèges, donc ce n'est pas une faille au sens strict.
Cepeeendaaaaaant, l'identité affichée influence les décisions; et il incombe à l'utilisateur de vérifier les signatures.
The migration to Codeberg is really easy.
And the licences?
See also the post on Github: https://github.blog/news-insights/company-news/updates-to-github-copilot-interaction-data-usage-policy/
A modern approach to programming. The pull request system seems great as I see on the landing page. It stacks up.
GitHub Issues as free database
A way to cheat the git commit graph: commits can be generated at different times.
Putting aside GitHub’s relationship with ICE, it’s abundantly clear that the engineering excellence that created GitHub’s success is no longer driving it.
Most importantly, Actions has inexcusable bugs while being completely neglected. After the CEO of GitHub said to “embrace AI or get out” [...]
and one blocker is now the source of revenue:
GitHub Sponsors is a large fraction of Zig Software Foundation’s donation income, we consider it a liability. We humbly ask if you, reader, are currently donating through GitHub Sponsors, that you consider moving your recurring donation to Every.org, which is itself a non-profit organization.
Against toast notifications
Github va devenir de plus en plus important pour Microsoft.
Je parie que le service va se merdifier durant les prochaines années; comme déjà les PRs de Copilot.
A CMS built on top of Github
About the push of Copilot on GitHub without opt-out
Les developpeurs de GitHub étaient contre l'intégration de l'IA de cette manière.
AI is not good now: https://github.com/dotnet/runtime/pull/115733
60req/hour for unauthenticated users, that's not much!
Forks are copy of the original repository. As such, leaked credentials remains in the forks.
A deleted repository still has the commit from the original repository and it can access it. Demo on youtube
Example:
They immediately deleted the repository, but since it had been forked, I could still access the commit containing the sensitive data via a fork
Also related to private repositories:
We demonstrate how organizations open-source new tools while maintaining private internal forks, and then show how someone could access commit data from the private internal version via the public one.
How to access the data? By direct access to the commit.
If you know the commit hash you can directly access data that is not intended for you.
AND
Commit hashes can be brute forced through GitHub’s UI, particularly because the git protocol permits the use of short SHA-1 values when referencing a commit.
because there are 65.536 minimal values, and 16.777.216 is a more realistic approach (6 characters per commit).
Also, "deleting a repository or fork does not mean your commit data is actually deleted."
The flaw also exists in other version control system products.