Title
#core
Mike Myers

Mike Myers

03/24/2021, 5:42 PM
5:43 PM
the TLDR: GitHub secrets are safest in private repos
s

seph

03/24/2021, 7:09 PM
I don't think any of our current plans have much for secrets.
7:09 PM
But yeah, I also read this a ago
7:09 PM
Definitely doesn't sound good.
7:10 PM
Also sounds related to the long known and ignored thing where I can make it look like shas are part of upstream repos.
theopolis

theopolis

03/24/2021, 11:13 PM
Everything has bugs, what’s impressive is GitHub’s response and the timeline, demonstrating again that they take this seriously.
11:15 PM
I’d still trust Secrets, but out long term plan is to use 1password or a similar off-platform solution to hold API access to credentials. This way we can incorporate a MFA check too.
s

seph

03/24/2021, 11:52 PM
maybe. Sorta? I think github has some pretty neat security stuff (the various scanning. the semmle acquisition). And while this did get fixed promptly, I think it’s also a bandaid because some backend can’t actually tell what org a commit is from. So there’s a shakey base.
11:52 PM
(hahahaha, like c memory management)