- cross-posted to:
- technology@lemmy.world
- cross-posted to:
- technology@lemmy.world
You must log in or register to comment.
Misleading title.
If my thing was public in the past, and I took it private, the old public code is still public.That’s… How the Internet works anyway.
Edit: See Eager Eagle’s better explanation below.
TL;DR - be careful who you allow to fork your private repos. And if you need to take a public repo, which has forks, private, consider archiving the repo and doing all the new work in a new repo. Which is arguably the reasonable thing to do anyway.
Still a misleading title. This isn’t a way to break into all or even most of your private repositories.
That is not exactly what they are saying. You could create a private fork of a public repo and the code in your private fork is publicly accessible.
I don’t think you can create private forks from public repos (the fork is public upon creation). This is more like the opposite:
If there’s a private repo that is forked and the fork is made public, further changes to that original private repo become public too, despite the repo remaining private and the fork not being synced.
Misleading title.
The title literally spells out the concern, which is that code that is in a private or deleted repository is, in some circumstances, visible publicly.
What title would you propose?
If my thing was public in the past, and I took it private, the old public code is still public.
The “Accessing Private Repo Data” section covers a situation where code that has always been private becomes publicly visible.
the title is dyslexic at best
While this is still a massive problem, it does require a public fork at some point. So if you have a private repo that has never had a public fork, you should be safe.
Im thinking of self hosting Forgejo one day.
I do and it is pretty easy with docker compose.
Does it treat forks differently?
Damn that’s a huge problem
The takeaway is to not use forks if there are changes you want to keep private.
The takeaway is still https://sfconservancy.org/GiveUpGitHub/
Just this week I migrated all my repos from github to Gitlab. And only because I can’t host my own gits just yet, but will do it soon enough.
Im using a raspberry pi with a binary installation of Forgejo. Pretty easy to set up if you are comfortable with the terminal.
I’ve been migrating all my services hosted in UnRaid to ProxMox these last days, but Forgejo is absolutely on my list of new services to selfhosted. Thanks for the tip bud.
Codeberg is great too
Yeah, I’m just getting started, and for the life of me, haven’t found how to pull the Gitlab repos from it. But I will.
I tried but they demanded a phone number and credit card for “verification” and fuck that.
Also endless verification of you have resistfingerprinting on.
Thats probably what did it. Guess when given the options of let us track you or provide your real identity for us to track you. The option of fucking off is best.
After reviewing the documentation, it’s clear as day that GitHub designed repositories to work like this.
Sounds like they wanted to find a problem but it turned out to be a feature.
Yeah, pretty much everyone agrees that once something goes to git it lasts forever.
The fact they call out that secret keys must be rotated if committed, makes me think they thought just deleting a commit was enough 🤦
a problem that is documented is obviously a feature
