[ClusterLabs Developers] FYI: github policy change potentially affecting ssh/app access to repositories

Adam Spiers aspiers at suse.com
Wed Apr 10 23:57:16 UTC 2019


Ken Gaillot <kgaillot at redhat.com> wrote: 
>Hello all,
>
>Florian Haas and Kristoffer Grönlund noticed that the ClusterLabs 
>organization on github currently carries over any app access that 
>members have given to their own accounts. 

Yep.  I have a vague memory of discussing this with a GitHub employee 
- IIRC he said that the problem only exists for OAuth apps using 
GitHub's older API, but I might have totally misremembered that. 

>This is not significant at the moment since we don't have any private 
>repositories and few accounts have write access 

It's not just about private repos; there's also a concern regarding 
data privacy.  I documented this here: 

    https://github.com/isaacs/github/issues/731

and funnily (or sadly) enough you can see that Clusterlabs is one of 
the affected organizations listed in the example screenshot. 

>but to stay on the 
>safe side, we'd like to enable OAuth access restrictions on the 
>organization account. 

Yes, this is definitely a very good idea. 

>Going forward, this will simply mean that any apps that need access 
>will need to be approved individually by one of the administrators. 
>
>But as a side effect, this will invalidate existing apps' access as 
>well as some individual contributors' ssh key access to the 
>repositories. If you are affected, you can simply re-upload your ssh 
>key and it will work again. 
>
>I'll wait a couple of weeks before implementing this change in case 
>anyone wants to raise concerns. 

Good plan.  Thanks a lot! 



More information about the Developers mailing list