GitHub UX has operational security risks

40 points by davydog187 1 year ago | 14 comments
  • wrs 1 year ago
    I agree this is a real problem. If the repo is in an organization, I would like to have to check a box like “include outside users”.
    • ocdtrekkie 1 year ago
      I was blown away by this the other day. I do know the user's handle and started typing it, but GitHub would prefer to suggest every random person with the same first name before the actual user who is already affiliated with some of the org's other repos? Wild!
      • fjni 1 year ago
        Github ux is an unmitigated disaster from an operational security perspective. In their defense, it did start out as an open-source tool. The fact that enterprises adopted it so blindly despite this is pretty interesting.
        • okanat 1 year ago
          It really didn't start out as an open-souce tool. Github was founded for selling private repo access for Git and got popular in the FOSS community since they provided free storage.
          • arcanemachiner 1 year ago
            I wonder if they meant "tool for open source" as opposed to "tool that is open source".
            • fjni 1 year ago
              Correct. Unclear wording on my part. If you build a product that is meant to be used by the open source community, you build features which are at odds with companies’ needs that care about keeping their code proprietary.
        • brobdingnag_pp 1 year ago
          Accidentally @tagging people in private PRs is always fun too!
          • 1 year ago
          • lijok 1 year ago
            It does show people in your org first, but you have to search by username, not full name.
            • rad_gruchalski 1 year ago
              And that is a problem. Do you know gh usernames or everyone in your org? I sure know most names of the people in my org but no clue about their handles… I most often depend on gh suggestions.
              • bitfilped 1 year ago
                I know people in my org by their handles better than their names haha, guess it just depends on the culture of the place you're at.
                • numpad0 1 year ago
                  Time to reinvent Java style reverse FQDN for user handles! IMO short username or alphanumerical ID is a must so as not to get into The Falsehoods.
                  • wiml 1 year ago
                    We already have those, we just use forward-fqdn syntax like username@company.co.uk. Works great, widely implemented
              • rurban 1 year ago
                Should be trivial to fix without an UX redesign, really. 2 lines of ruby added for the org filter first.