Comment by hmottestad
2 years ago
The biggest gotcha here is probably that if you start of with a private repo and a private fork, making the repo public also makes the fork "public".
GitHub may very well say that this is working as intended, but if it truly is then you should be forced to make both the repo and fork public at the same time.
Essentially "Making repo R public will make the following forks public as well 'My Fork', 'Super secret fork', 'Fork that I deleted because it contained the password to my neighbours wifi :P'.
OK. I'm not sure if the last one would actually be public, but I wouldn't be surprised if that was "Working as intended(TM)" - GitHub SecOps
Any time you make a private repo public it’s best to just copy that code into a new public repo and leave the private repo private. Otherwise have to audit every previous commit and every commit on every fork of your private code.
If I understand the issue correctly if you make the original repo public any private forks from other users are also effectively public. Right?
You create a new repository, “git init” it and copy your files over to it and push your new repository to your open source repository.
Seems to be the case yes. And I guess that the authors of those repos will not get a notification of any sort.
Yeah that's fine but the issue is GitHub doesn't make it clear that you need to do this.
I agree. The other cases may be mildly surprising, but ultimately fall firmly into the category of "once public on the internet, always public." Deleting a repo or fork or commit doesn't revoke an access key that was accidentally committed, and an access key being public for even a microsecond should be assumed to have been scraped and usable by a malicious actor.
If you have a private repo, you would assume that nothing in that private repo becomes public unless you do something very explicit.
The issue here is that if you have a private repo and a private fork of that repo. If you make the private repo public and keep the fork private, then you are not explicitly told that your fork is actually public, whether you want to or not.
it's a bit of that you have to know the sha, and that's quite unique. it's apparently unique enough for Google photos to "private" share without logins
You only need the short SHA, which is 4 characters. Brute force ends up becoming very easy with 65k possibilities.