[ClusterLabs Developers] FYI: github policy change potentially affecting ssh/app access to repositories
Adam Spiers
aspiers at suse.com
Wed Apr 10 23:57:16 UTC 2019
Ken Gaillot <kgaillot at redhat.com> wrote:
>Hello all,
>
>Florian Haas and Kristoffer Grönlund noticed that the ClusterLabs
>organization on github currently carries over any app access that
>members have given to their own accounts.
Yep. I have a vague memory of discussing this with a GitHub employee
- IIRC he said that the problem only exists for OAuth apps using
GitHub's older API, but I might have totally misremembered that.
>This is not significant at the moment since we don't have any private
>repositories and few accounts have write access
It's not just about private repos; there's also a concern regarding
data privacy. I documented this here:
https://github.com/isaacs/github/issues/731
and funnily (or sadly) enough you can see that Clusterlabs is one of
the affected organizations listed in the example screenshot.
>but to stay on the
>safe side, we'd like to enable OAuth access restrictions on the
>organization account.
Yes, this is definitely a very good idea.
>Going forward, this will simply mean that any apps that need access
>will need to be approved individually by one of the administrators.
>
>But as a side effect, this will invalidate existing apps' access as
>well as some individual contributors' ssh key access to the
>repositories. If you are affected, you can simply re-upload your ssh
>key and it will work again.
>
>I'll wait a couple of weeks before implementing this change in case
>anyone wants to raise concerns.
Good plan. Thanks a lot!
More information about the Developers
mailing list