undefined | Better HN

0 pointsraxxorrax6y ago0 comments

> dumb enough to put secrets in the code.

Man, I have tons of auth data in services like AWS just in environment variables. But pushing your rsa key to github must have happened on a bad monday.

I do often have auth info in code, plainly because of time constraints. You just have to remember it before pushing anything on github.

But aside from that, is it possible to file a DMCA for anything that has been forked if it was published under a license that permitted that action?

0 comments

vthriller6y ago

> You just have to remember it before pushing anything on github.

Do you read commit history looking for, say, relocated secrets? Do you go through the pain of rewriting said history regardless of whether you avoid merges with your current workflow or not? For me, that's too many risky and involving things to do. This advice will only work if you're only going to export squashed commits from private repo to the public one once in a while.

ilikehurdles6y ago

The best thing to do is assume the secret is fully compromised the second it hits GitHub, and consider it worthless to protect with these measures. Get a new secret immediately and trash the old one.

alias_neo6y ago

I think they examples you've listed are different, and more acceptable than pushing secrets and private keys to Github because you had dozens of them hard-coded.

As for the aside, I imagine (with no background knowledge here) that as "owner" if you accidentally published something within that licensed code that does not belong or isn't covered by that license, you should probably have the right to remove it

kiallmacinnes6y ago

What if I accidentally contributed a little bit too much code to the Linux kernel? What if that code had been in the last 10 releases? What about the users and distributions running those versions?

I'm not sure the answer is, or should be, as simple as "derp - delete immediately, this was never meant to be Open Source".

That said, if the code was stolen, and then published under an OS licence - it's not OS. The "publisher" never had the rights to make it OS, so the "contract" is null and void...

alias_neo6y ago

This is what I was thinking. If it's something that wasn't meant to be published, I assume your right as the owner hold.

How you'd solve this, logistically in an example like yours (Linux kernel) I have no idea, but I presume by the time it's been made public long enough to be cloned/forked (a la the company in question in OP) all of your efforts should be focused on damage control.

j / k navigate · click thread line to collapse

0 pointsraxxorrax6y ago0 comments

> dumb enough to put secrets in the code.

Man, I have tons of auth data in services like AWS just in environment variables. But pushing your rsa key to github must have happened on a bad monday.

I do often have auth info in code, plainly because of time constraints. You just have to remember it before pushing anything on github.

But aside from that, is it possible to file a DMCA for anything that has been forked if it was published under a license that permitted that action?

0 comments

vthriller6y ago

> You just have to remember it before pushing anything on github.

ilikehurdles6y ago

The best thing to do is assume the secret is fully compromised the second it hits GitHub, and consider it worthless to protect with these measures. Get a new secret immediately and trash the old one.

alias_neo6y ago

I think they examples you've listed are different, and more acceptable than pushing secrets and private keys to Github because you had dozens of them hard-coded.

kiallmacinnes6y ago

What if I accidentally contributed a little bit too much code to the Linux kernel? What if that code had been in the last 10 releases? What about the users and distributions running those versions?

I'm not sure the answer is, or should be, as simple as "derp - delete immediately, this was never meant to be Open Source".

That said, if the code was stolen, and then published under an OS licence - it's not OS. The "publisher" never had the rights to make it OS, so the "contract" is null and void...

alias_neo6y ago

This is what I was thinking. If it's something that wasn't meant to be published, I assume your right as the owner hold.

j / k navigate · click thread line to collapse