
GitHub
"All your source code are belong to M$."
The popularity of Github has made it too big to block, which is a boon to dissidents ducking government censors but a problem for internet security. GitHub says it is used by more than 100 million developers around the world. Its popularity and utility ensures that the site is "relatively immune to Chinese censorship efforts …
Yes, MS are incapable of actually inventing anything useful. It gets bought in and made a bit rubbish whilst being improved through investment, unless it gets dropped on the floor. lol.
git was invented by Mr Torvalds to get away from a commercial code repository, that became unfriendly, for the Linux source code. git was and is a fully distributed system - your code is here and there and there etc. There is no central authority, per se.
Github and the like pander to ... well, all of us! We like a canonical source. We want mum and dad to tell us how to use the code and provide feedback etc etc. Soon, the killer feature of git is not destroyed but it is watered down. For open source code sharing across the world, github is largely unparalleled. For a corporate project, I would consider you mad to use it because you will have signed up to have your code shared with the owner - Microsoft. For that use Gitea or just git out of the box.
Not just source, I used to dump loads of random binaries on there too (basically a poor man's dropbox).
That said, I haven't engaged with GitHub since they forced consumer 2FA. It was finally the kick up the butt I needed to jump back to my own infrastructure. Everything is just cleaner and more fun again now.
The number of times one sees the "install" step being "curl -sSfL https://raw.githubusercontent.com/this/that/main/install.sh | bash" or similar is just depressing.
NO! Not now, not ever. What are we, 12? Package repositories with the keys and signing exist for a reason.
Use them.
And they require you to build packages for lots of different systems every time you release, which if this is a small project may not justify the effort to do so. In many cases, the philosophy is here's the code, you install it yourself. You are smart enough to do so.
A custom package repository for small projects also offers you little security benefit over a GitHub account. To use one of those, you add a key which you get from some internet site and you trust that nobody has managed to sign something with it that would be dangerous, whether that involved adding code to the GitHub repo without me noticing it was malicious or directly obtaining the signing key and using it. For larger projects where there is a single trusted source, the repo option makes more sense, but if you're dealing with GitHub user fuzjo949, using their package repository is not likely to be any more secure than cloning their repo and running the install script in it; the package will contain the same script and run it during installation. If new stuff was added to that script without fuzjo949 noticing, the new package will have that in it as well. At least when you know you're going to run a shell script as root, it gives you a chance to decide to read through it first.
Does curl have markedly worse performance than wget does? I haven't noticed any problem with that, so it supporting more protocols doesn't hurt me if I'm only using HTTPS. If I am using something else, curl probably has that, so that's handy. Wget is fine, but unless it does something that curl doesn't or does something better than curl does, I don't see why using curl is a problem.
Because having extra crap you don’t need increases the attack surface.
Well, it seems that traditional security defenses are going to have to consider GitHub a non-secure site and treat it as such.
That's impossible if you're working at a corp where clever MBAs have decided that all that corp's source code should be hosted on github instead of in-house.
Inspect where you're going. Is the user going to the company-specific site? It's probably fine. Are they going to the company's organization on the normal instance? It's still probably fine. Are they going to some other location? They might not be fine.
Of course, this requires the company to have some plan for what they'll do in that situation which they probably don't have. It's like they assume they can somehow use the internet without the risk that they'll find anything bad up there. It's not going to happen, even if you have a filter for some of the worst stuff.
Github is excruciating. I hate it with a passion.
Most of the time, if I point my browser at github, all I see is a little revolving thing on my screen which just sits there, and would presuambly sit there until the stars go out if I didn't close the tab.
The idea of rendering everything with HTML is about as bone-headed as it gets. Code is text. Show me the text, not some bowdlerized version of it that's probably different in my browser.
And having to download twenty megabytes of data to send a ten character patch gets old really fast if you're on an ADSL line (in the industrial heartlands of the British midlands).
Everybody knows that the Bad Guys have been using it for years.
Count me out.
"And having to download twenty megabytes of data to send a ten character patch gets old really fast"
First, that's just git, not any particular frontend. Don't conflate them. Second, have you used the various partial or shallow clone options? You can use them to download less stuff and still get what you need. Git was designed to be decentralized and give you all the data up front, but you don't have to use it that way.
git clone --filter=blob:none <url>
Creates a local clone with the full commit message history, but only the latest code at HEAD (one version).
It will then download other versions of the code as-needed when you do things like git checkout, diff and blame.
It's magic, and really should be the default clone for most developers. Haven't figured out whether any of the nice GUI front ends do that though.
Microsoft can't stop a network of spammers / scammers from sending phishing spam from Outlook.com claiming it's from MAILER-DAEMON. Does anyone seriously think they have the wherewithal to identify malware when they're deathly afraid to do the slightest thing that might affect the status quo?
That company which published the report. Some of the principals / investors / etc have some very "interesting" backgrounds. To say the least
Lets just say not people I would trust. About anything.
Everything about them just screams ulterior motives.