undefined | Better HN

0 pointswithinboredom22d ago0 comments

bro. it asks for the ability for some random github user to literally take over your private repositories.

0 comments

You’re 100% right to call that out. The current GitHub OAuth scope is too broad

I’m changing this ASAP to least-privilege and I’ll publish a clear explanation of scopes + data handling. In the meantime: please run the local/CLI path if you want zero-trust.

withinboredomOP22d ago

Damn dude. That’s awesome! I saw the permissions it wanted out of every org I’m a part of (including some big open source orgs) — I’d probably find myself booted out of those orgs if I accepted that. They def get a notification on every authentication like that and take potential impersonation seriously.

claar22d ago

Yeah, if it weren't for that, I think this would blow up. Plus, even if you get past that, if you try a larger project, it times out after 1 minute and gives up. But it's a pretty awesome idea!

matzehuels22d ago

hey! I built this, I know its really scrappy, I just don't have enough time currently to make right by users. I'm on it though... stay tuned

j / k navigate · click thread line to collapse

0 comments

matzehuels22d ago

You’re 100% right to call that out. The current GitHub OAuth scope is too broad

I’m changing this ASAP to least-privilege and I’ll publish a clear explanation of scopes + data handling. In the meantime: please run the local/CLI path if you want zero-trust.

withinboredomOP22d ago

claar22d ago

Yeah, if it weren't for that, I think this would blow up. Plus, even if you get past that, if you try a larger project, it times out after 1 minute and gives up. But it's a pretty awesome idea!

matzehuels22d ago

hey! I built this, I know its really scrappy, I just don't have enough time currently to make right by users. I'm on it though... stay tuned

j / k navigate · click thread line to collapse