Travis-CI published a security bulletin the other day, describing a special condition that would allow to access secrets belonging to a foreign repository in Github or Bitbucket. The condition requires a fork from a public repository. That’s how open source work, and very central functionality. Not a corner case.
Turns out, the cloud service did address the issue, still plenty of secrets have been affected:
While cloud technology is all great economically, this is another sample of why commercial software vendors need to consider third party vendors in their threat profiles.
GitHub just started to publish a public Roadmap. Not even a login is required. Product People will appreciate, this is pretty huge commitment for an organization.
Github is on a spree to get hold of the entire developer ecosystem. Offering the service for free to all teams, it’s difficult for any development team to ignore the Microsoft based platform.
GitHub today announced that all of its core features are now available for free to all users, including those that are currently on free accounts. That means free unlimited private repositories with unlimited collaborators for all, including teams that use the service for commercial projects, as well as up to 2,000 minutes per month of […]
The acquisition happened only one day after Github became a CVE Numbering Authority (CNA)
GitHub today released a CI/CD Tool, GitHub Actions. With the tight integration into development workflows and rich, community maintained build-command, actions appears an interesting competitor in the market. As a minimum, the release indicates the importance of CI/CD for the modern software development lifecycle.
Developer productivity and frictionless workflows have been buzzwords for the past half decade and the arrival and rapid growth of Travis-CI, Jenkins or Cirlce-CI have proven the resonance in development organisations. GitHub has outstanding testimonials from day one on the announcement and the ecosystem appears to be ready to go.
It is an offering that comes with appealing integrations and a competitive price, that sure is worth watching.
GitHub Actions makes it easy to automate all your software workflows, now with world-class CI/CD. Build, test, and deploy your code right from GitHub. Make code reviews, branch management, and issue triaging work the way you want.
The other day wrote this in their post on LinkedIn. Following the link takes one to the newly announced Github Package Registry, that allows developers to host releases for distribution. It’s currently in beta and supports npm, docker images, maven packages, NuGet and Ruby Gems. The corresponding blog article has a few more insights:
With GitHub Package Registry your packages are at home with their code—sign up for the limited beta to try it out.
From the blogpost
While I appreciate the thought and easiness of integration, the announcement doesn’t leave me with a cosy feeling. It’s a bit like GitHub is trying to become the Facebook of code. The Internet is made to work decentralised and the interesting part always has been the freedom of choice. With functionality merging together in one platform, choice gets lost and there is opportunity of misuse.
In particular, it seems almost forgotten that Github, just like Linkedin, have been acquired by Microsoft in 2016 and 2018. This perspective throws another light on the added functionality and developers may want to evaluate remaining alternatives.
NETRESEC took a closer look at the long lasting DDoS attacks on github.com. One of the few instances of this type of attack that even made it to mainstream media.
The article finds random web browsers from outside China are tricked into reloading two particular pages on github.com. Apparently, this happens by manipulating requests coming from users physically outside China to services in country hosted content at the border infrastructure.
This is another example of why encryption is a good thing. General usage of SSL/TLS will prevent passive filtering infrastructure from manipulating traffic, and prevent such problems.