undefined | Better HN

0 pointshanble3y ago0 comments

That's true, but feels like these are always judgment calls. We can always armchair quarterback their judgment calls, but none of us have the full info. At least GH is sharing this info, which is a good call for trust building IMO.

0 comments

averysmallbird3y ago

That's not fully Github's choice to make. They made a judgement call based on seemingly incomplete evidence, and have different incentives that everyone else.

Repository owners may well have a different level of acceptable risk or legal obligations over the integrity of their source code. For example, if I was maintaining security software or a popular package, it would be entirely appropriate to stop everything and look for abuse. Waiting three months makes that harder.

I'm not sure that's trust building.

hanbleOP3y ago

Fair point - I think that's very fair criticism

remram3y ago

This is only a judgment call because they have no idea. The fact that they have no idea whether your organization's data was leaked is exactly what people here are complaining about.

j / k navigate · click thread line to collapse