Comment by __turbobrew__
1 day ago
I think it is pretty common that devs have read only access to all source code.
The real question is why github has 3800 internal repos.
1 day ago
I think it is pretty common that devs have read only access to all source code.
The real question is why github has 3800 internal repos.
Shoot dude, the engineering organization I mentor/teach at a high school has ~75 internal repos.
Robot source code; satellite ground station hardware; satellite ground station software; visualization; satellite hardware; satellite software; nuttx + its submodules for 2 different projects; linux kernel fork; circuitpython fork; raspberry pico tools fork; embedded programming/debugging tools; my lecture notes; my automated grading tooling; etc etc etc. That's just me + ~35 students in classes.
Pretty easy to see how when you have scale you can get to a few thousand.
3800 repos without any orgs/groups must be fun..
*assuming github dogfoods github
each employee with personal fork of some company microservice
It's normal that a dev has *access* to all the code.
But did he clone all the repos into his machine? I doubt it. So, the hacker extracted all the 3800 repos using the employee's machine as a gateway? I doubt it as well, I'm sure they would have detected this huge amount of data much earlier than transferring all of it?
> The real question is why github has 3800 internal repos.
I guess they mean customer's private repos?
> I guess they mean customer's private repos?
I don't think so. It is even worse if a random developer has access to customers' private repos.
Good point. Then why in the world would a company have 3,500 repos? Do they create a repo for each employee?
4 replies →
All the attackers need to do is steal an SSH key and they'd be able to clone everything, no?
Nah GitHub/MS doesn't allow SSH keys for their internal stuff. You have to use git-credential-manager, which enforces MFA
Depends how it's set up. Many companies add an IP address check so if you don't come via their VPN (or are not in the office) the connection will be rejected before any auth is asked.
So you'd need to authenticate for the VPN, which often has 2nd factor.
But I have no idea of how they are set up.