(trufflesecurity.com)

199 points elza_1111 | 2 comments | 03 Jul 25 06:44 UTC | HN request time: 0.639s | source

Show context

UnreachableCode ◴[03 Jul 25 07:54 UTC] No.44452675[source]▶

What I've never understood is, how is this an issue with private repos? Aside from open source projects I can't see the problem with accidentally doing this, even though it is a smell.

replies(5): >>44452714 #>>44452733 #>>44452828 #>>44453249 #>>44453819 #

froobius ◴[03 Jul 25 08:03 UTC] No.44452733[source]▶

>>44452675 #

It's a bad idea...

- commit secret in currently private repo

- 3 years later share / make public

- forget the secret is in the commit history, and still valid, (and relatedly, having long-lived secrets is less secure)

Sure that might not happen for you, but the chances increase dramatically if you make a habit of commiting secrets.

replies(1): >>44452826 #

1. yard2010 ◴[03 Jul 25 08:18 UTC] No.44452826[source]▶

>>44452733 #

In a large messaging app I worked for we self hosted a gitlab instance for this exact reason. I thought it was over the top but now I get it, you can never be too sure.

replies(1): >>44455176 #

2. ◴[03 Jul 25 14:00 UTC] No.44455176[source]▶

>>44452826 (TP) #

↑

I scanned all of GitHub's "oops commits" for leaked secrets