Author Topic: Github: when deleted is not deleted and private not private  (Read 1372 times)

0 Members and 1 Guest are viewing this topic.

Offline madiresTopic starter

  • Super Contributor
  • ***
  • Posts: 8211
  • Country: de
  • A qualified hobbyist ;)
Good to know if you're using Github:
- Anyone can Access Deleted and Private Repository Data on GitHub: https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github
 
The following users thanked this post: thm_w

Offline brucehoult

  • Super Contributor
  • ***
  • Posts: 4653
  • Country: nz
Re: Github: when deleted is not deleted and private not private
« Reply #1 on: July 26, 2024, 01:34:38 pm »
That's just how any git repo works.  Deleting a branch only deletes the entry in .git/refs/heads it doesn't delete any commits or trees. If you can find the hash -- for example from your reflog -- then you can always resurrect it. At least until a git gc.  Which is always very infrequent and github never does.

And, as the article notes, you can only do this if the repo was public at some point, and someone forked it, and you can find that fork.

The "guessing a short hash" thing only works if you're looking at a fork of the original, not just some random repo.

I used basically this technique to resurrect the RISC-V draft 0.7.1 gcc branch [1] after the branch was (cynically, I think) deleted in the official repo after RVV 1.0 was ratified. I found the hash in some old notes from when I was implementing RVV in the Spike emulator and writing RVV example code to test it in 2019.

[1] needed for programming THead C906/C910 until they recently published an updated gcc version, and eventually got it merged into gcc 14

https://github.com/brucehoult/riscv-gnu-toolchain (obsolete since gcc 14 release, unless you are allergic to adding th. prefix to all the instructions)
 
The following users thanked this post: bookaboo, golden_labels

Online SiliconWizard

  • Super Contributor
  • ***
  • Posts: 15607
  • Country: fr
Re: Github: when deleted is not deleted and private not private
« Reply #2 on: July 26, 2024, 08:44:58 pm »
Don't use github.
 

Offline magic

  • Super Contributor
  • ***
  • Posts: 7340
  • Country: pl
Re: Github: when deleted is not deleted and private not private
« Reply #3 on: July 26, 2024, 08:57:01 pm »
Don't use git, period. You can change your legal sex, age, name and everything, but git log will still deadname you. I dunno what people expect from something that came from Linus.
 

Offline golden_labels

  • Super Contributor
  • ***
  • Posts: 1414
  • Country: pl
Re: Github: when deleted is not deleted and private not private
« Reply #4 on: July 26, 2024, 10:03:08 pm »
Konstantin Ryabitsev “Cross fork object sharing in git is not a bug” (Jan 2022)

Too bad Truffle Security took sensationalistic angle, rises up a corpse and puts it into new clothes. It could’ve been a reasonable reminder.

The part of the article really worth reading is at the bottom: the “Implications” heading. Instead of article’s general “your data will leak” fearmongering, it focuses on more substantive concerns. Receiving impossible to understand false positives from security scans, GitHub processing data despite an order to stop doing so, and the general muddiness of the solution.
People imagine AI as T1000. What we got so far is glorified T9.
 

Offline Siwastaja

  • Super Contributor
  • ***
  • Posts: 9095
  • Country: fi
Re: Github: when deleted is not deleted and private not private
« Reply #5 on: July 27, 2024, 03:22:18 pm »
Read halfway through it. Some idiotic sensationalism, is there finally some real problem?

What blast from the past. So someone accidentally posted their private key / password / titpic / dickpic publicly on the internets and someone else took a copy (or "forked") it before they could delete it. What are you supposed to do as service provider? Yellow media and concerned citizens demanded censorship of the Internet and other totally impractical measures to somehow prevent this mistake. This was in early 2000's. We learned back then there is no other way than never do this mistake; and if you do, you suffer. Since freaking 2008 or so, yellow media has been telling people that once you put something online, you can't delete it.

Now even normal people have pretty much understood not to post sensitive information publicly on the internet (and be very careful where to post it), and have stopped blaming others for their own mistakes. Is it too much to expect from freaking programmers to do the same?
« Last Edit: July 27, 2024, 03:33:58 pm by Siwastaja »
 
The following users thanked this post: ebastler, magic

Offline magic

  • Super Contributor
  • ***
  • Posts: 7340
  • Country: pl
Re: Github: when deleted is not deleted and private not private
« Reply #6 on: July 27, 2024, 03:43:31 pm »
Is it too much to expect from freaking programmers to do the same?
With a little math and science, anyone can learn to code. Maybe you don't need to understand the concept of "distributed, immutable directed acyclic graph" to write JavaScript ;)
 

Offline DiTBho

  • Super Contributor
  • ***
  • Posts: 4287
  • Country: gb
Re: Github: when deleted is not deleted and private not private
« Reply #7 on: July 27, 2024, 04:18:04 pm »
Don't use github.

what is the alternative?
I am considering ... ummm, a private git server, running on mac-mini/intel at home  ;D
The opposite of courage is not cowardice, it is conformity. Even a dead fish can go with the flow
 

Online JPortici

  • Super Contributor
  • ***
  • Posts: 3560
  • Country: it
Re: Github: when deleted is not deleted and private not private
« Reply #8 on: July 27, 2024, 04:42:47 pm »
Don't use github.

what is the alternative?
I am considering ... ummm, a private git server, running on mac-mini/intel at home  ;D

this! i run gitea instances, at home in a VM (waiting to shell out for a NAS/Home server) and at work in a dedicated machine.. or forejo as gitea foundation has started having some questionable behaviour

you do know everything you upload to github is being used to train copilot, right?
« Last Edit: July 27, 2024, 04:44:21 pm by JPortici »
 

Offline brucehoult

  • Super Contributor
  • ***
  • Posts: 4653
  • Country: nz
Re: Github: when deleted is not deleted and private not private
« Reply #9 on: July 27, 2024, 07:41:32 pm »
Don't use github.

what is the alternative?
I am considering ... ummm, a private git server, running on mac-mini/intel at home  ;D

What do you mean by "git server"?

Any machine that has a git repo on it, that you can access as a file server, or by ssh, or by http, is a "git server".

For example I'm working on a project called "merv" on my Windows machine. It is located at ~/projects/merv in Ubuntu on WSL. It of course has a .git directory inside it, as well as the checked-out files.

So I can just do this on my Mac (or on on Raspberry Pi, or one of my RISC-V boards .. whatever):

Code: [Select]
Mac-mini:~ bruce$ git clone wsl:projects/merv
Cloning into 'merv'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (3/3), done.
Mac-mini:~ bruce$

That works simply because I can "ssh wsl". No other setup required.

No special "server" needed. That's the entire point of git. It's a distributed version control system, not a centralised one like CVS or SVN or most others that came before it.  Any user can push or pull branches or commits from any other user.
 
The following users thanked this post: bpiphany, SiliconWizard, DiTBho

Offline DiTBho

  • Super Contributor
  • ***
  • Posts: 4287
  • Country: gb
Re: Github: when deleted is not deleted and private not private
« Reply #10 on: July 28, 2024, 03:21:36 am »
What do you mean by "git server"?

git server exposed to the internet
means
  • web-git interface, therefore it also implies http server,  running PHP/Python mod + PHP/Python programs
  • SSHd, exposed to the internet
  • (optionally) GITd exposed to the internet
  • high security policies (1)
  • a system to collect { requests, notes, comments, bugs reports, ... } usually using a PHP/Python mod (2)
  • a way to provide and manage pull requests (3)

(1) if you expose on the internet, you have to pay much more attention, and they are things that with distros like Gentoo you don't find already set up, you necessarily have to review carefully and in every single detail, so say "I'll make a git server" that only runs in your own infranet and never goes on the public internet, it makes a huge difference also in how to compile and configure each single dependency.

(2) git itself only allows you associate your email with your commits, which is nice, but then you still need something to public interesting comments, notes, and various bug issues.

(3) "pull request" is not features of Git itself, it's a feature offered by Github. So, you need to provide a similar mechanism!
This, because usually, you do not have permission to clone and push someone else's repository on the internet, so you "fork" it into your own Github repository
Then you can clone your own Github repository and push your commits there
If you want your commits to go into the original author's repository, you first define another origin for that repository - called "upstream" - and then you send a "pull request"

« Last Edit: July 28, 2024, 05:24:17 am by DiTBho »
The opposite of courage is not cowardice, it is conformity. Even a dead fish can go with the flow
 

Offline DiTBho

  • Super Contributor
  • ***
  • Posts: 4287
  • Country: gb
Re: Github: when deleted is not deleted and private not private
« Reply #11 on: July 28, 2024, 03:29:41 am »
No special "server" needed

sure, when you compile from sources, there are flags to be enabled

Code: [Select]
dev-vcs/git    blksha1 curl gpg iconv nls pcre perl safe-directory webdav cgi cvs doc highlight keyring mediawiki perforce selinux subversion test tk xinetd

+webdav: Adds support for push'ing to HTTP/HTTPS repositories via DAV
+ cgi: Install gitweb too
...
The opposite of courage is not cowardice, it is conformity. Even a dead fish can go with the flow
 

Offline DiTBho

  • Super Contributor
  • ***
  • Posts: 4287
  • Country: gb
Re: Github: when deleted is not deleted and private not private
« Reply #12 on: July 28, 2024, 03:38:43 am »
Code: [Select]
git config --global user.email "<...@...>"
git config --global user.name "<....>"
The opposite of courage is not cowardice, it is conformity. Even a dead fish can go with the flow
 

Offline DiTBho

  • Super Contributor
  • ***
  • Posts: 4287
  • Country: gb
Re: Github: when deleted is not deleted and private not private
« Reply #13 on: July 28, 2024, 03:45:37 am »
GITd: exposing to internet, also implies Git-on-the-Server-Git-Daemon.
The opposite of courage is not cowardice, it is conformity. Even a dead fish can go with the flow
 

Offline mfro

  • Regular Contributor
  • *
  • Posts: 224
  • Country: de
Re: Github: when deleted is not deleted and private not private
« Reply #14 on: July 28, 2024, 08:42:44 am »
A strange article, IMHO.

If you don't want to have something publicly available, you probably shouldn't put it on a service whose main purpose is to make things publicly available first place.


Beethoven wrote his first symphony in C.
 
The following users thanked this post: Siwastaja, NivagSwerdna

Offline DiTBho

  • Super Contributor
  • ***
  • Posts: 4287
  • Country: gb
Re: Github: when deleted is not deleted and private not private
« Reply #15 on: July 28, 2024, 11:48:54 am »
A strange article, IMHO.

If you don't want to have something publicly available, you probably shouldn't put it on a service whose main purpose is to make things publicly available first place.

yes it's a bit contradictory, but that's how it is...  :-//
The opposite of courage is not cowardice, it is conformity. Even a dead fish can go with the flow
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf